Re: 207.46.x.x in FWLog...

  • From: Jim Harrison <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 01 Jul 2004 06:58:15 -0700

Hi William,
- The fact that an IP fails to resolve to a name has no bearing on whether or 
not that IP is functional as a service (web, mail, pop, ftp, etc.); one has 
nothing to do with the other.

- Services running on a machine have no knowledge of or dependency on the 
client's ability to match a name with an IP or vice versa.

..I don't know how many more ways I can say it; you're chasing shadows, the 
wild geese are winning, your SEP glasses have failed you; you're making an ass 
of u and me...?

Until you have something more than client connections to a non-resolved IP, 
you're guessing.

The fact is, many web sites include IPs in their links (not arguing the 
stupidity of that here) and the internal clients will use that in their 
requests.

My BQOD for you is: "why are you allowing HTTP requests to pass by the web 
proxy servie unmolested?"

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Thu, 1 Jul 2004 08:10:36 +0200
 "William Robertson" <robertson.william@xxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org

Again, I hear you. But if an IP address fails to resolve (I.e. it is no
longer in use), how and why can a workstation decide to make numerous
attempts to talk to that IP Address. My theory is that these internal
workstations are infected with some worm or something that has hardcoded a
range of (previously-used) Microsoft IP Addresses, and now they are trying
to get out of my LAN and talk to that IP (maybe DoS it)

Am I way off?

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: 01 July 2004 07:04 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: 207.46.x.x in FWLog...

http://www.ISAserver.org

Hi William,
I understand your concerns, but you're looking at it inside-out.
The FW logs don't (can't) show any traffic that generated an alert for
"spoof", "all port" or "all ip" scans; this will be in the IPext..log and
you must correlate it with the ISA log time difference in mind.

Just because an nslookup fails to return a record is NOT an indication of IP
usage; it's an indication of DNS maintenance habits by the upstream provider
and the subscriber.


  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Thu, 1 Jul 2004 05:40:17 +0200
 "William Robertson" <robertson.william@xxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org

Hi Jim

I hear what you are saying, but I still don't have an enormously happy
feeling about those entries. I will check the Packet Filter logs and see
what I find. Fact remains that an nslookup on any of the 207.46.x.x
addresses fails, telling me that the IP's are in any case no longer in
use... And that in itself tells me there is something illegitimate about
this traffic I am seeing...

Thanks
William R.

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: 30 June 2004 08:41 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: 207.46.x.x in FWLog...

http://www.ISAserver.org

Those are not problem entries; they're normal HTTP traffic through the
Firewall service.
the IPEXT..log is the one that will show the problem packets.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message ----- 
From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, June 30, 2004 10:27
Subject: [isalist] Re: 207.46.x.x in FWLog...


http://www.ISAserver.org

Hi Jim,

Tried sending with 8kb text attachment but it never seemed to go through.
Trying again with content in the body of this e-mail (sorry for the
wrapping):
160.115.4.7, -, -, N, 6/30/2004, 15:23:06, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -, 103494,
4352377
160.115.4.7, -, -, N, 6/30/2004, 15:23:06, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20001, 0, -, -,
103494, 4352377
160.115.4.7, -, -, N, 6/30/2004, 15:23:06, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -, 103494,
4352378
160.115.4.7, -, -, N, 6/30/2004, 15:23:06, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, 16, 0, 590, 80, TCP, Connect, -, -, -, 20001, 0, -, -,
103494, 4352378
160.115.4.7, -, -, N, 6/30/2004, 15:23:06, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -, 103494,
4352379
160.115.4.7, -, -, N, 6/30/2004, 15:23:06, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20001, 0, -, -,
103494, 4352379
160.115.4.7, -, -, N, 6/30/2004, 15:23:06, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -, 103494,
4352380
160.115.4.7, -, -, N, 6/30/2004, 15:23:06, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20001, 0, -, -,
103494, 4352380
160.115.4.7, -, -, N, 6/30/2004, 15:23:20, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -, 103494,
4352393
160.115.4.7, -, -, N, 6/30/2004, 15:23:20, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20001, 0, -, -,
103494, 4352393
160.115.4.7, -, -, N, 6/30/2004, 15:23:20, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -, 103494,
4352394
160.115.4.7, -, -, N, 6/30/2004, 15:23:20, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, 16, 0, 590, 80, TCP, Connect, -, -, -, 20001, 0, -, -,
103494, 4352394
160.115.4.7, -, -, N, 6/30/2004, 15:23:20, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -, 103494,
4352395
160.115.4.7, -, -, N, 6/30/2004, 15:23:20, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20000, 0, -, -,
103494, 4352395
160.115.4.7, -, -, N, 6/30/2004, 15:23:20, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -, 103494,
4352396
160.115.4.7, -, -, N, 6/30/2004, 15:23:20, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20001, 0, -, -,
103494, 4352396
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.249.56, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -, 103507,
4352586
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.249.56, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20000, 0, -, -,
103507, 4352586
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.249.56, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -, 103507,
4352587
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.249.56, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20000, 0, -, -,
103507, 4352587
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.249.56, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -, 103507,
4352588
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.249.56, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20000, 0, -, -,
103507, 4352588
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.249.56, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -, 103507,
4352589
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.249.56, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20000, 0, -, -,
103507, 4352589
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -, 103507,
4352590
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20000, 0, -, -,
103507, 4352590
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -, 103507,
4352591
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20000, 0, -, -,
103507, 4352591
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -, 103507,
4352592
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20000, 0, -, -,
103507, 4352592
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -, 103507,
4352593
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20000, 0, -, -,
103507, 4352593

 
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: 30 June 2004 03:49 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: 207.46.x.x in FWLog...

http://www.ISAserver.org

Can you include some log snippets that show this traffic?
I'm betting that it's "late" return traffic.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Wed, 30 Jun 2004 14:55:42 +0200
 "William Robertson" <robertson.william@xxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org

Hi there

I am experiencing a general slowdown of internal network traffic every now
and then, so I thought I would check my FW Logs as anything trying to get
out of my company will be recorded there.

What I have found is that there are a multitude of PC's out there (with no
apparent commonality) that try to make contact with the following IP Address
- 207.46.197.121

Naturally the 207.46.x.x range belongs to Microsoft so my thought is that it
may be a symptom of some lingering worm or something, but I'm damned if I
can find any more about it.

Does anyone have any insight on the worms/viruses/trojans etc that would
want to perform some sort of DoS on MS via the abovementioned IP Address? Or
am I barking up the wrong tree...

Thanks
William R.

---------------------------------------------------------------------
Everything in this e-mail and attachments relating to the official 
business of Columbus Stainless is proprietary to the company. It is 
confidential, legally privileged and protected by law. Columbus 
Stainless does not own and endorse any other content. Views and 
opinions are those of the sender unless clearly stated as being that 
of Columbus Stainless. The person addressed in the e-mail is the sole 
authorised recipient.  Please notify the sender immediately if it has 
unintentionally reached you and do not read, disclose or use the 
content in any way. Whilst all reasonable steps are taken to ensure 
the accuracy and integrity of information and data transmitted 
electronically and to preserve the confidentiality thereof, no 
liability or responsibility whatsoever is accepted if information or 
data is,for whatever reason, corrupted or does not reach its intended
destination.
---------------------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist

---------------------------------------------------------------------
Everything in this e-mail and attachments relating to the official 
business of Columbus Stainless is proprietary to the company. It is 
confidential, legally privileged and protected by law. Columbus 
Stainless does not own and endorse any other content. Views and 
opinions are those of the sender unless clearly stated as being that 
of Columbus Stainless. The person addressed in the e-mail is the sole 
authorised recipient.  Please notify the sender immediately if it has 
unintentionally reached you and do not read, disclose or use the 
content in any way. Whilst all reasonable steps are taken to ensure 
the accuracy and integrity of information and data transmitted 
electronically and to preserve the confidentiality thereof, no 
liability or responsibility whatsoever is accepted if information or 
data is,for whatever reason, corrupted or does not reach its intended
destination.
---------------------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist

---------------------------------------------------------------------
Everything in this e-mail and attachments relating to the official 
business of Columbus Stainless is proprietary to the company. It is 
confidential, legally privileged and protected by law. Columbus 
Stainless does not own and endorse any other content. Views and 
opinions are those of the sender unless clearly stated as being that 
of Columbus Stainless. The person addressed in the e-mail is the sole 
authorised recipient.  Please notify the sender immediately if it has 
unintentionally reached you and do not read, disclose or use the 
content in any way. Whilst all reasonable steps are taken to ensure 
the accuracy and integrity of information and data transmitted 
electronically and to preserve the confidentiality thereof, no 
liability or responsibility whatsoever is accepted if information or 
data is,for whatever reason, corrupted or does not reach its intended
destination.
---------------------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 07-2004