I'm definitely with Shawn here. Our production network got hit from Blaster (OK, I've already paid my patch management penance) and I watched helpless as Sever's Alive converted all my nice Green lights to SERVER DOWN. Switches were blinking like an epileptic Christmas tree and I was doing a packet trace when that station RPC'd out and down. Had to take a laptop that was offline, connect it directly to the T1 router and do research on the problem and the solution. Got everthing back and repaired, and a good expereince in hindsight, but not fun at the time. Get a laptop that has the Windows firewall running and no exception and start doing a packet trace on an affect segment. Will help a lot in terms of figuring who's got what and how bad :) Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Quillman Shawn (RBNA/CSA1) * [mailto:Shawn.Quillman@xxxxxxxxxxxx] Sent: Thursday, May 05, 2005 1:02 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Being Attacked...HELPED http://www.ISAserver.org Seriously man, you gotta shut down your network. Better to have down time that you can just plug back in than to have down time that you have to restore from tape if things go way south. You should be able to (relatively quickly) look at some log files to see patterns in the traffic in order to identify offending machines. You might not even be able to get to your logs if your server(s) experience any kind of DoS attack if you don't pull your network. ----- Robert Bosch Corporation Technical Systems Analyst (RBNA/CSA1) Corporate Sales Reporting Systems 38000 Hills Tech Drive - Farmington Hills, MI 48331 - USA phone: 1 (248) 553-1164 fax: 1 (248) 848-6969 shawn.quillman@xxxxxxxxxxxx http://www.bosch.us -----Original Message----- From: Clarke, Scott [mailto:Scott.Clarke@xxxxxxxxxxxx] Sent: Thursday, May 05, 2005 1:38 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Being Attacked...HELPED http://www.ISAserver.org How would I stop this...I know some machine may not be up to date with MS updates. Help!!! -----Original Message----- From: Troy Radtke [mailto:TRadtke@xxxxxxxxxxxx] Sent: Thursday, May 05, 2005 2:59 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Being Attacked...HELPED http://www.ISAserver.org Ok, then you probably have multiple switches/routers in your lan. Start pulling it apart and seeing if it comes back when you start hooking things up. If it does, unplug and keep going. If it's coming from all of the different segments, then good luck..... I hope you're not doing anything important tonight...... -----Original Message----- From: Clarke, Scott [mailto:Scott.Clarke@xxxxxxxxxxxx] Sent: Thursday, May 05, 2005 12:19 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Being Attacked...HELPED http://www.ISAserver.org Yikes! 200 + -----Original Message----- From: Steve Moffat [mailto:steve@xxxxxxxxxx] Sent: Thursday, May 05, 2005 2:26 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Being Attacked...HELPED http://www.ISAserver.org How many pc's in your lan? Shut them all down and start them up one by one. S -----Original Message----- From: Scott [mailto:scott.clarke@xxxxxxxxxxxx] Sent: Thursday, May 05, 2005 1:52 PM To: ISA Mailing List Subject: [isalist] Being Attacked...HELPED http://www.ISAserver.org I am seeing a lot of Trinoo, HTTP, and HTTP Cross Site scripting attacks. Both Trinoo and HTTP are coming from internal user machines and Cross site coming from 0.0.0.0 This only started happening recently...HELP!!! ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: isalist@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx The correct technical term for haggis stalking is "havering". ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: scott.clarke@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tradtke@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: scott.clarke@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx