Re: 207.46.x.x in FWLog...
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Jul 2004 10:57:42 -0700
Sorry, William; that statement is also incorrect.
This log entry(among many others) indicates that your ISA made a successful
connection to the remote server:
160.115.4.7, -, -, N, 6/30/2004, 15:23:06, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -,
103494,
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://www.microsoft.com/isaserver
http://isaserver.org/Jim_Harrison
http://isatools.org
Read the help, books and articles!
----- Original Message -----
From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, July 01, 2004 07:39
Subject: [isalist] Re: 207.46.x.x in FWLog...
http://www.ISAserver.org
Hi Jim
I haven't edited anything and am logging everything, but the actual IP
Address is not reachable so that is why I assume there are no user
credentials (because every initial attempt to a website appears as ANONYMOUS
- as I think I have learned), and because the first attempt isn't successful
(because that IP isn't available), it just tries a few more times and then
quits, until later that is, when it just tries again...
I have run SpyBot on a few of these PC's and the most common "bugs" it found
are Hotbar, Alexa Related & DSO Exploit. There are a lot more but these
appear common to most.
Cheers
William R.
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: 01 July 2004 04:00 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: 207.46.x.x in FWLog...
http://www.ISAserver.org
Unless you've edited the log data (or you're not logging it (why not?)),
you're not restricting access by users / groups, since there is no user data
in the logs.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
On Thu, 1 Jul 2004 15:05:47 +0200
"William Robertson" <robertson.william@xxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org
I'm sure there are quite a few users out there who have configured it, but I
actually control access within ISA to only allow certain users. Your
thoughts...?
-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxxxxxxxxxxxxxxxxxx]
Sent: 01 July 2004 02:55 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: 207.46.x.x in FWLog...
http://www.ISAserver.org
Do you use windows messenger??
-----Original Message-----
From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx]
Sent: Thursday, July 01, 2004 12:40 AM
To: Isa Weblist
Subject: [isalist] Re: 207.46.x.x in FWLog...
http://www.ISAserver.org
Hi Jim
I hear what you are saying, but I still don't have an enormously happy
feeling about those entries. I will check the Packet Filter logs and see
what I find. Fact remains that an nslookup on any of the 207.46.x.x
addresses fails, telling me that the IP's are in any case no longer in
use... And that in itself tells me there is something illegitimate about
this traffic I am seeing...
Thanks
William R.
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: 30 June 2004 08:41 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: 207.46.x.x in FWLog...
http://www.ISAserver.org
Those are not problem entries; they're normal HTTP traffic through the
Firewall service.
the IPEXT..log is the one that will show the problem packets.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://www.microsoft.com/isaserver
http://isaserver.org/Jim_Harrison
http://isatools.org
Read the help, books and articles!
----- Original Message -----
From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, June 30, 2004 10:27
Subject: [isalist] Re: 207.46.x.x in FWLog...
http://www.ISAserver.org
Hi Jim,
Tried sending with 8kb text attachment but it never seemed to go
through.
Trying again with content in the body of this e-mail (sorry for the
wrapping):
160.115.4.7, -, -, N, 6/30/2004, 15:23:06, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -,
103494,
4352377
160.115.4.7, -, -, N, 6/30/2004, 15:23:06, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20001, 0, -, -,
103494, 4352377
160.115.4.7, -, -, N, 6/30/2004, 15:23:06, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -,
103494,
4352378
160.115.4.7, -, -, N, 6/30/2004, 15:23:06, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, 16, 0, 590, 80, TCP, Connect, -, -, -, 20001, 0, -,
-,
103494, 4352378
160.115.4.7, -, -, N, 6/30/2004, 15:23:06, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -,
103494,
4352379
160.115.4.7, -, -, N, 6/30/2004, 15:23:06, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20001, 0, -, -,
103494, 4352379
160.115.4.7, -, -, N, 6/30/2004, 15:23:06, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -,
103494,
4352380
160.115.4.7, -, -, N, 6/30/2004, 15:23:06, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20001, 0, -, -,
103494, 4352380
160.115.4.7, -, -, N, 6/30/2004, 15:23:20, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -,
103494,
4352393
160.115.4.7, -, -, N, 6/30/2004, 15:23:20, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20001, 0, -, -,
103494, 4352393
160.115.4.7, -, -, N, 6/30/2004, 15:23:20, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -,
103494,
4352394
160.115.4.7, -, -, N, 6/30/2004, 15:23:20, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, 16, 0, 590, 80, TCP, Connect, -, -, -, 20001, 0, -,
-,
103494, 4352394
160.115.4.7, -, -, N, 6/30/2004, 15:23:20, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -,
103494,
4352395
160.115.4.7, -, -, N, 6/30/2004, 15:23:20, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20000, 0, -, -,
103494, 4352395
160.115.4.7, -, -, N, 6/30/2004, 15:23:20, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -,
103494,
4352396
160.115.4.7, -, -, N, 6/30/2004, 15:23:20, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20001, 0, -, -,
103494, 4352396
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.249.56, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -,
103507,
4352586
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.249.56, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20000, 0, -, -,
103507, 4352586
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.249.56, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -,
103507,
4352587
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.249.56, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20000, 0, -, -,
103507, 4352587
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.249.56, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -,
103507,
4352588
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.249.56, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20000, 0, -, -,
103507, 4352588
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.249.56, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -,
103507,
4352589
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.249.56, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20000, 0, -, -,
103507, 4352589
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -,
103507,
4352590
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20000, 0, -, -,
103507, 4352590
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -,
103507,
4352591
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20000, 0, -, -,
103507, 4352591
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -,
103507,
4352592
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20000, 0, -, -,
103507, 4352592
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, 0, -, -,
103507,
4352593
160.115.43.2, -, -, N, 6/30/2004, 15:28:48, fwsrv, FIREWALL1, -, -,
207.46.197.59, 80, -, 0, 590, 80, TCP, Connect, -, -, -, 20000, 0, -, -,
103507, 4352593
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: 30 June 2004 03:49 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: 207.46.x.x in FWLog...
http://www.ISAserver.org
Can you include some log snippets that show this traffic?
I'm betting that it's "late" return traffic.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
On Wed, 30 Jun 2004 14:55:42 +0200
"William Robertson" <robertson.william@xxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org
Hi there
I am experiencing a general slowdown of internal network traffic every
now
and then, so I thought I would check my FW Logs as anything trying to
get
out of my company will be recorded there.
What I have found is that there are a multitude of PC's out there (with
no
apparent commonality) that try to make contact with the following IP
Address
- 207.46.197.121
Naturally the 207.46.x.x range belongs to Microsoft so my thought is
that it
may be a symptom of some lingering worm or something, but I'm damned if
I
can find any more about it.
Does anyone have any insight on the worms/viruses/trojans etc that would
want to perform some sort of DoS on MS via the abovementioned IP
Address? Or
am I barking up the wrong tree...
Thanks
William R.
---------------------------------------------------------------------
Everything in this e-mail and attachments relating to the official
business of Columbus Stainless is proprietary to the company. It is
confidential, legally privileged and protected by law. Columbus
Stainless does not own and endorse any other content. Views and
opinions are those of the sender unless clearly stated as being that
of Columbus Stainless. The person addressed in the e-mail is the sole
authorised recipient. Please notify the sender immediately if it has
unintentionally reached you and do not read, disclose or use the
content in any way. Whilst all reasonable steps are taken to ensure
the accuracy and integrity of information and data transmitted
electronically and to preserve the confidentiality thereof, no
liability or responsibility whatsoever is accepted if information or
data is,for whatever reason, corrupted or does not reach its intended
destination.
---------------------------------------------------------------------
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
---------------------------------------------------------------------
Everything in this e-mail and attachments relating to the official
business of Columbus Stainless is proprietary to the company. It is
confidential, legally privileged and protected by law. Columbus
Stainless does not own and endorse any other content. Views and
opinions are those of the sender unless clearly stated as being that
of Columbus Stainless. The person addressed in the e-mail is the sole
authorised recipient. Please notify the sender immediately if it has
unintentionally reached you and do not read, disclose or use the
content in any way. Whilst all reasonable steps are taken to ensure
the accuracy and integrity of information and data transmitted
electronically and to preserve the confidentiality thereof, no
liability or responsibility whatsoever is accepted if information or
data is,for whatever reason, corrupted or does not reach its intended
destination.
---------------------------------------------------------------------
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
steve@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
This E-Mail is confidential. It is not intended to be read, copied,
disclosed or used by any person other than the recipient named above.
Unauthorised use, disclosure, or copying is strictly prohibited and may be
unlawful. Optimum IT Solutions disclaims any liability for any action taken
in connection of this E-Mail. The comments or statements expressed in this
E-Mail are not necessarily those of Optimum IT Solutions or its subsidiaries
or affiliates.
administrator@xxxxxxxxxxxxxxxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
---------------------------------------------------------------------
Everything in this e-mail and attachments relating to the official
business of Columbus Stainless is proprietary to the company. It is
confidential, legally privileged and protected by law. Columbus
Stainless does not own and endorse any other content. Views and
opinions are those of the sender unless clearly stated as being that
of Columbus Stainless. The person addressed in the e-mail is the sole
authorised recipient. Please notify the sender immediately if it has
unintentionally reached you and do not read, disclose or use the
content in any way. Whilst all reasonable steps are taken to ensure
the accuracy and integrity of information and data transmitted
electronically and to preserve the confidentiality thereof, no
liability or responsibility whatsoever is accepted if information or
data is,for whatever reason, corrupted or does not reach its intended
destination.
---------------------------------------------------------------------
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
---------------------------------------------------------------------
Everything in this e-mail and attachments relating to the official
business of Columbus Stainless is proprietary to the company. It is
confidential, legally privileged and protected by law. Columbus
Stainless does not own and endorse any other content. Views and
opinions are those of the sender unless clearly stated as being that
of Columbus Stainless. The person addressed in the e-mail is the sole
authorised recipient. Please notify the sender immediately if it has
unintentionally reached you and do not read, disclose or use the
content in any way. Whilst all reasonable steps are taken to ensure
the accuracy and integrity of information and data transmitted
electronically and to preserve the confidentiality thereof, no
liability or responsibility whatsoever is accepted if information or
data is,for whatever reason, corrupted or does not reach its intended
destination.
---------------------------------------------------------------------
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Other related posts:
