Re: Can anybody here me with IPPEXTD logs

  • From: "cismic" <cismic@xxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 25 Feb 2004 03:03:23 -0800

Hi Paul,
The way the logs are layed out will show your ISA IP address first then the
IP Address of the site that was attempting to talk to your site.  In this
case most are UDP transports using ports 2629, 2630 etc. They were
attempting access to TCP transport 137. Which is a good thing.  ISA blocked
those.  Read up on NETBIOS and directory traversal vulnerabilities.

HTH,
Joseph

----- Original Message ----- 
From: "Paul Crisp" <PCrisp@xxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, February 25, 2004 2:05 AM
Subject: [isalist] Can anybody here me with IPPEXTD logs


http://www.ISAserver.org

I am getting the following appearing in my IPPEXTD logs.

The first IP address is my external IP address of the ISA server and the
second address changes. What is causing this?

2004-02-25 00:00:01 195.xxx.xxx.xxx 66.151.150.33 Udp 2629
137 BLOCKED 195.xxx.xxx.xxx 45 00 00 4e 89 91 00 00 80 11 00 00 c3 9d 37
fa 42 97 96 21 0a 45 00 89 00 3a 2e ed
2004-02-25 00:00:01 195.xxx.xxx.xxx 66.151.150.33 Udp 2630
137 BLOCKED 195.xxx.xxx.xxx 45 00 00 4e 89 92 00 00 80 11 00 00 c3 9d 37
fa 42 97 96 21 0a 46 00 89 00 3a 2e ea
2004-02-25 00:00:01 195.xxx.xxx.xxx 66.151.150.33 Udp 2631
137 BLOCKED 195.xxx.xxx.xxx 45 00 00 4e 89 93 00 00 80 11 00 00 c3 9d 37
fa 42 97 96 21 0a 47 00 89 00 3a 2e e7
2004-02-25 00:00:01 195.xxx.xxx.xxx 66.151.150.33 Udp 2632
137 BLOCKED 195.xxx.xxx.xxx 45 00 00 4e 89 94 00 00 80 11 00 00 c3 9d 37
fa 42 97 96 21 0a 48 00 89 00 3a 2e e4
2004-02-25 00:00:02 195.xxx.xxx.xxx 66.151.150.33 Udp 2629
137 BLOCKED 195.xxx.xxx.xxx 45 00 00 4e 89 fe 00 00 80 11 00 00 c3 9d 37
fa 42 97 96 21 0a 45 00 89 00 3a 2e df

Paul Crisp
Snr Network Support Analyst
t: 020 7 827 5201
f: 020 7 827 5266



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


Other related posts: