RE: BIG PROBLEM (i think)
- From: "Sachin Vaish \(VGL\)" <sachin.vaish@xxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 29 Apr 2003 08:40:53 +0100
Thanks for that.
Regards
Sachin Vaish
Vaioni Group Limited
t: 0870 160 0650
f: 0870 160 0651
http://www.vaioni.com
32 Leslie Hough Way
Manchester
M6 6AJ
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: 29 April 2003 02:03
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: BIG PROBLEM (i think)
http://www.ISAserver.org
Hi Sachin,
I would try to correlate the entries in the security event log with the
time when the Web site in question appears in the Web proxy logs. You'll
see how logged in at around the time before the Web site in question
begins to show up in your logs. I would also "crater" that ISA Server
and rebuild it, because its clear that the machine has been compromised.
I'd check to see who has access to that machine and make sure those
people are checked out and passwords are changed.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: sachin vaish [mailto:sachin.vaish@xxxxxxxxxx]
Sent: Monday, April 28, 2003 6:11 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] BIG PROBLEM (i think)
http://www.ISAserver.org
Hi,
We have a problem. We have an ISA Server and all has been well until
yesterday where no user could access the internet. we don't know why or
what has happened but i may have a clue you may be able to shed some
light
on.
Regardles of the type of user, they cannot access the internet. But via
the ISA Server we can browse to our hearts content and access the server
via terminal services. Now here is the clue we have:
In "site and content rules" in ISA management there is a rule setup to
forward all traffic to a URL porn site. we have never seen this before.
When the users try and access the internet all they get is this URL
refreshing and refreshing. When they type in any other URL it says "page
cannot be displayed".
We have deleted the rule but still it is happening.
What does this mean? Has somebody hacked into our server?
How do i get rid of this URL and restore internet access again?
Regards
sachin :)
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
sachin.vaish@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
