Re: ISA Server Code Red Log entries

• From: "Gabriel Zabal" <gabriel@xxxxxxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 7 Aug 2001 09:46:13 -0300

MessageCould you explain this log entry ?????
I`m not using IP on the destination set, on the web publishing rules,
and only using Web Publishing rules no server rules.
Why the request pass the ISA and how it decide the webserver to send the
request
I have several Internal web servers

211.97.113.5 anonymous - 2001-08-04 11:02:30 ISA - ExtIpISA
IP_Internal_WebServer 80 771 3818 - http GET
http://IP_Internal_Web_Server/default.ida?XXXXX ....XXXXXX Inet 10053

Gabriel

   -----Mensaje original-----
  De: Nicholas Palmer [mailto:NICK@xxxxxxxxxxx]
  Enviado el: Lunes, 06 de Agosto de 2001 05:44 p.m.
  Para: [ISAserver.org Discussion List]
  Asunto: [isalist] Re: ISA Server Code Red Log entries


  http://www.ISAserver.org


  The http://168.65.50.21:12345 address the address of IIS on the internal
NIC on the ISA server.  I followed the instructions to get the IIS server on
the ISA server to work by changing the port that IIS listens on the be 12345
instead of 80 and then use Web publishing to publish this web server.  The
server is patched and I've run the codered checker from the eeye web site
and it shows that this site is ok so I guess I'm good for now.

  Nick.
    -----Original Message-----
    From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
    Sent: Monday, August 06, 2001 12:58 PM
    To: [ISAserver.org Discussion List]
    Subject: [isalist] Re: ISA Server Code Red Log entries


    http://www.ISAserver.org


    I personally advise against using IPs in destination sets, but I've also
heard many valid arguments for doing exactly that.  The only thing the "200"
means is that IS let the request through.
    One point to observe is that the request went to your web server at port
12345 (http://168.65.50.21:12345), so unless you're previously hacked, or
you've since patched and rebooted, your web server probably failed to
respond at all.

    Jim Harrison
    MCP(2K), A+, Network+, PCG


      ----- Original Message -----
      From: Nicholas Palmer
      To: [ISAserver.org Discussion List]
      Sent: Monday, August 06, 2001 12:32
      Subject: [isalist] ISA Server Code Red Log entries


      http://www.ISAserver.org


      I've been following the messages here on the latest code red worm and
I've seen several of the entries in my log files (WEBEX.....LOG)

      WARNING : Log entries with dangerous links :
      WARNING : Log entries with dangerous links :



      61.221.240.50   anonymous       -       2001-08-04      14:56:07
GATEWAY -       www.worm.com    -       -       2323    4039    -       -
GET
http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00
78%u0000%u00=a      -       12202

      And ...

      24.1.178.131    anonymous       -       2001-08-04      15:09:34
GATEWAY -       209.151.234.200 168.65.50.21    12345   1933    3818    171
http    GET
http://168.65.50.21:12345/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXX  Inet    200



      My understanding of the first one is that the 12202 at the ends means
that ISA blocked it.  But it's the other entry, with the Inet 200 at the end
that I'm concerned about.  Doesn't 200 mean that it was succesful.  I've
applied the patches from MS faithfully, and when I try the Coderedchecker
program I come out OK.  Our IIS Server is on ISA server and I am publishing
it with a destination set that uses the IP address of the external NIC which
I read below could cause a problem.  Will this cause me any problems?

      Thanks
      Nick.

      KCI Computing, Inc.
      (nick@xxxxxxxxxxx)



      ------------------------------------------------------
      You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
      To unsubscribe send a blank email to
$subst('Email.Unsub')
    ------------------------------------------------------
    You are currently subscribed to this ISAserver.org Discussion List as:
nick@xxxxxxxxxxx
    To unsubscribe send a blank email to $subst('Email.Unsub')
  ------------------------------------------------------
  You are currently subscribed to this ISAserver.org Discussion List as:
gabriel@xxxxxxxxxxx
  To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » ISA Server Code Red Log entries
• » Re: ISA Server Code Red Log entries
• » Re: ISA Server Code Red Log entries
• » Re: ISA Server Code Red Log entries
• » Re: ISA Server Code Red Log entries
• » Re: ISA Server Code Red Log entries
• » Re: ISA Server Code Red Log entries
• » Re: ISA Server Code Red Log entries

1. Home
2. isalist
3. Archive
4. 08-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---