RE: FW: ISA Server alert: An intrusion was attempted by an external user.

• From: "Ruba Al Omari, Eng." <romari@xxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Sun, 28 Nov 2004 16:22:32 +0300

Hi,
I find this in the packetlog at the time of the warning I receive, what
do you think?
Norton antivirus is still telling me servers are clean and the
definitions are up to date.


10.92.60.19 is a server on the network, 10.255.1.2 is the public
interface of the IS server, and 212.71.32.19 is the DNS of our ISP.


2004-11-28      12:52:39        10.92.60.19     255.255.255.255 Udp
14000   14000   -       BLOCKED 10.255.1.2      45 00 00 68 57 6e 00 00
80 11 9c a8 0a 5c 3c 13 ff ff ff ff     36 b0 36 b0 00 54 58 33 00 00 00
4c 3a 00 00 00 00 00 00 0c 44 53 41 4d 65 73 73 61 67 65 00 00 00 00 00
0c 00 00 00 10 4f 52 42 65 6c 69 6e 65 20 32 2e 30 00 00 00 00 00 00 00
01 41 a9 81 bb 3a 00 00 00 00 00 00 04 3a 3a 00 64 00 00 00 04


2004-11-28      12:52:58        10.255.1.2      212.71.32.19    Tcp
37895   53      SYN     BLOCKED 10.255.1.2      45 00 00 30 50 b9 40 00
80 06 00 00 0a ff 01 02 d4 47 20 13     94 07 00 35 a1 c8 81 d1 00 00 00
00 70 02 ff ff ca ed 00 00 02 04 05 b4 01 01 04 02
2004-11-28

Thanks,
Ruba Al Omari


-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Wednesday, November 24, 2004 4:46 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FW: ISA Server alert: An intrusion was attempted
by an external user.

http://www.ISAserver.org

You need to review the packet filter logs for that time (remember to
account for GMT logging).
The actual traffic is located there.
By default, ISA logs to %ProgramFiles%\Micorosoft ISA Server/ISALogs

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!
 
 

-----Original Message-----
From: Ruba Al Omari, Eng. [mailto:romari@xxxxxxxxxxxxxxxxx] 
Sent: Wednesday, November 24, 2004 12:12 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] FW: ISA Server alert: An intrusion was attempted by
an external user.

http://www.ISAserver.org

Hi

I have 2 arms ISA2000, one NIC connected to switch with a netscreen
device (10.255.1.2) and the other arm is connected to internal LAN.
I keep getting these notifications almost every few minutes; from the
interface that is connected to the netscreen LAN which only has 2
devices connected to this LAN the ISA and the netscreen.
I know the ISA is not infected, could there be any other reason for
this? 

Thanks for any help
Ruba Al-Omari


-----Original Message-----
From: 9000-srv [mailto:9000-srv] 
Sent: Wednesday, November 24, 2004 10:06 AM
To: DAH Technical Support
Subject: ISA Server alert: An intrusion was attempted by an external
user.

ISA Server name: 9000-SRV

ISA Server detected an all port scan attack from Internet Protocol (IP)
address 10.255.1.2.

For more information about this event, see ISA Server Help.




------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
romari@xxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » FW: ISA Server alert: An intrusion was attempted by an external user.
• » Re: FW: ISA Server alert: An intrusion was attempted by an external user.
• » FW: ISA Server alert: An intrusion was attempted by an external user.
• » FW: ISA Server alert: An intrusion was attempted by an external user.
• » RE: FW: ISA Server alert: An intrusion was attempted by an external user.
• » RE: FW: ISA Server alert: An intrusion was attempted by an external user.

1. Home
2. isalist
3. Archive
4. 11-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---