Ok thanks guys. I have now resolved the problem. It looks as though someone who knows ISA has done this because it isn't easy to what has been done. We have looked through the security audit and nothing seems suspicious. Is there a way to find out who has done this by ip or to see if someone had tried many attempts before getting, etc? Thanks for you time people. Sachin Vaish Vaioni Group Limited t: 0870 160 0650 f: 0870 160 0651 http://www.vaioni.com 32 Leslie Hough Way Manchester M6 6AJ -----Original Message----- From: David V. Dellanno [mailto:ddellanno@xxxxxxxxxx] Sent: 28 April 2003 12:21 To: [ISAserver.org Discussion List] Subject: [isalist] RE: BIG PROBLEM (i think) http://www.ISAserver.org http://www.ISAserver.org Also, if possible, turn off Terminal Services on your ISA box and rename your local and domain admin passwords if you have not already done this. -----Original Message----- From: Steve Moffat [mailto:steve@xxxxxxxxxxxxxxx] Sent: Monday, April 28, 2003 7:21 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: BIG PROBLEM (i think) http://www.ISAserver.org If none of the administrators made the rule, then yes, some unauthorized person has created it. Restart your server, and see if that clears the rule now you have deleted it. Steve -----Original Message----- From: sachin vaish [mailto:sachin.vaish@xxxxxxxxxx] Sent: Monday, April 28, 2003 8:11 AM To: Isa List http://www.ISAserver.org Hi, We have a problem. We have an ISA Server and all has been well until yesterday where no user could access the internet. we don't know why or what has happened but i may have a clue you may be able to shed some light on. Regardles of the type of user, they cannot access the internet. But via the ISA Server we can browse to our hearts content and access the server via terminal services. Now here is the clue we have: In "site and content rules" in ISA management there is a rule setup to forward all traffic to a URL porn site. we have never seen this before. When the users try and access the internet all they get is this URL refreshing and refreshing. When they type in any other URL it says "page cannot be displayed". We have deleted the rule but still it is happening. What does this mean? Has somebody hacked into our server? How do i get rid of this URL and restore internet access again? Regards sachin :) ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: steve@xxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') This E-Mail is confidential. It is not intended to be read, copied, disclosed or used by any person other than the recipient. Unauthorised use, disclosure, or copying is strictly prohibited and may be unlawful. Optimum Computer Solutions disclaims any liability for any action taken in connection of this E-Mail. The comments or statements expressed in this E-Mail are not necessarily those of Optimum Computer Solutions or its subsidiaries or affiliates. usermanager@xxxxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ddellanno@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: isaserver-org-list@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: sachin.vaish@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')