RE: BIG PROBLEM (i think)

  • From: "Sachin Vaish \(VGL\)" <sachin.vaish@xxxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 28 Apr 2003 14:54:51 +0100

Ok thanks guys.

I have now resolved the problem. It looks as though someone who knows ISA
has done this because it isn't easy to what has been done.

We have looked through the security audit and nothing seems suspicious.

Is there a way to find out who has done this by ip or to see if someone had
tried many attempts before getting, etc?

Thanks for you time people.

Sachin Vaish
Vaioni Group Limited
t: 0870 160 0650
f: 0870 160 0651
http://www.vaioni.com 
32 Leslie Hough Way
Manchester
M6 6AJ

-----Original Message-----
From: David V. Dellanno [mailto:ddellanno@xxxxxxxxxx] 
Sent: 28 April 2003 12:21
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: BIG PROBLEM (i think)

http://www.ISAserver.org


http://www.ISAserver.org


Also, if possible, turn off Terminal Services on your ISA box and rename
your local and domain admin passwords if you have not already done this.

-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxxxxxxx] 
Sent: Monday, April 28, 2003 7:21 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: BIG PROBLEM (i think)


http://www.ISAserver.org


If none of the administrators made the rule, then yes, some unauthorized
person has created it. Restart your server, and see if that clears the
rule now you have deleted it.

Steve


-----Original Message-----
From: sachin vaish [mailto:sachin.vaish@xxxxxxxxxx] 
Sent: Monday, April 28, 2003 8:11 AM
To: Isa List

http://www.ISAserver.org


Hi,

We have a problem. We have an ISA Server and all has been well until
yesterday where no user could access the internet. we don't know why or
what has happened but i may have a clue you may be able to shed some
light on.

Regardles of the type of user, they cannot access the internet. But via
the ISA Server we can browse to our hearts content and access the server
via terminal services. Now here is the clue we have:

In "site and content rules" in ISA management there is a rule setup to
forward all traffic to a URL porn site. we have never seen this before.
When the users try and access the internet all they get is this URL
refreshing and refreshing. When they type in any other URL it says "page
cannot be displayed".

We have deleted the rule but still it is happening.
What does this mean? Has somebody hacked into our server?
How do i get rid of this URL and restore internet access again?

Regards


sachin :)

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/ Windows
Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT
Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
steve@xxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')



This E-Mail is confidential. It is not intended to be read, copied,
disclosed or used by any person other than the recipient. 


Unauthorised use, disclosure, or copying is strictly prohibited and may
be unlawful. Optimum Computer Solutions disclaims any liability for any
action taken in connection of this E-Mail. The comments or statements
expressed in this E-Mail are not necessarily those of Optimum Computer
Solutions or its subsidiaries or affiliates.

usermanager@xxxxxxxxxxxxxxx 



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/ Windows
Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT
Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ddellanno@xxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


Confidentiality Notice:
This e-mail message, including any attachments, is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.


Confidentiality Notice:
This e-mail message, including any attachments, is for the sole use of the
intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the sender
by reply e-mail and destroy all copies of the original message.

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isaserver-org-list@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
sachin.vaish@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



Other related posts: