Like I said,I suspect his{the victim}ISA server to be misconfigured in the
1st place;Server product possibly infected before install? His attempt at
discovery with Stinger was doomed to fail. A corrupt registry ,being the
fruit of the firewall killer,could in turn be partially responsible for the
ISA mis/dysfunctionality. No amount of "reconfiguration" will cure his
ills,that being the case.
I'm still curious about the Task Manager question.
thekevin
http://www.ISAserver.org
I suggest you take a closer look at the link you provided. Yes, it lists a lot of "Firewall Killer" Trojans. But, take a closer look at what the website describes this as:
Quote: Firewall Killer : Any hacker tool intended to disable a user's personal firewall. Some will also disable resident anti-virus software.
Note the use of the phrase "user's personal firewall", which, by any description, the ISA server is NOT. These are programs designed to attack the home user, or employee workstation, they are NOT designed to attack ISA servers. While they might have an effect, it won't be same as on a workstation.
Note: A "properly configured" and "properly administrated" ISA server is not susceptible to these trojans. The exception to this is some idiot using the server as a workstation.
-----Original Message----- From: thekevin@xxxxxxxxxxxx [mailto:thekevin@xxxxxxxxxxxx] Sent: Thursday, June 30, 2005 8:51 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Server crashes
http://www.ISAserver.org
I just got through learning this scenario the hard way,for about 2 weeks.A total of 14- 17 fresh installs on 2 seperate machines which in some cases netted a trojan in the 1st 30 seconds of connectivity behind 2 isolated NAT routers. The word is "prolific". I would have thought you "Black Hat" people would have beat me to the punch on this one,or any other reported ISA failure. To my knowledge,ISA has never been defeated at the External interface,leaving me to further believe that his{the victim} ISA server was/is misconfigured to begin with. 1.What causes ISA server to "crash" intermittently or regularly,every "4
hours"? 2.At the same time,generating a "Web Proxy Failure" entry in Event Viewer? Same scenario>Same Software>different location,3 weeks later. The word is "parallel".
Take a look at what's waiting for us all. http://www3.ca.com/securityadvisor/pest/browse.aspx?cat=Firewall%20Kille r
Then take a look at the recommended course of action upon the discovery of infection. 3.Will ISA function with a corrupt registry? 4.What is the fastest way to acquire a clean registry? 5.Is this a DC that has possibly been compromised? 6.Is time = {lots of} money here?
Both the current victim and I,I'm sure, are open to constructive suggestions and analysis.
Thanks, thekevin
http://www.ISAserver.org
I believe that his point was that by simply hearing that the server is hanging, you've already diagnosed it as a polymorphic trojan infection.
That is a bit (okay, more than a bit) premature.
If indeed it IS infected, your recommended course of action isn't as far-fetched, but it is simply way too soon to jump to that conclusion.
-----Original Message----- From: thekevin@xxxxxxxxxxxx [mailto:thekevin@xxxxxxxxxxxx] Sent: Thursday, June 30, 2005 7:38 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Server crashes
http://www.ISAserver.org
Ever tried to get rid of a polymorphic Firewall killer otherwise?...Before your ISP kills your connection due to the port scanning/virus distribution coming from the machine in question? A boot disk might be more accessible than a copy of DELPART for most.
thekevin
http://www.ISAserver.org
Wow. With the little bit of information provided by the poster, you clearly diagnosed his server problem and provided a clear solution, FDISK. Personally, I prefer DELPART.
Gees, I have not heard reformat used so easily in a while.
John T eServices For You
-----Original Message----- From: thekevin@xxxxxxxxxxxx [mailto:thekevin@xxxxxxxxxxxx] Sent: Wednesday, June 29, 2005 6:12 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Server crashes
http://www.ISAserver.org
I had a similar problem recently.I would guess your base server
machine is
time.infected with something along the lines of MultiBot Pro,which is a successful Firewall/Antivirus killer. A reinstall of the O/S is required,that being the case as almost all of these trojans are polymorphic.If you don't Fdisk your Boot drive FIRST,your wasting your
Remember to do your reinstall DISCONNECTED from the internet.W2000
family is
highly vulnerable to the net nowadays without ALL the patchs.Don'tforget
Microsoft's new AntiSpyware Beta 1 which is currently KING and willcatch
cacheand remove what has been eating all other Anti V and firewalls for breakfast. It's also FREE!!!
Happy hunting, thekevin
----- Original Message ----- From: "Umesh" <umeshblr@xxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, June 29, 2005 1:25 AM Subject: [isalist] ISA Server crashes
> http://www.ISAserver.org > > Hi, > I have ISA 2000 server with sp2 and hotfix installed.It gets hanged > frequently atleast for every 4 hrs.In the event log it shows ISA
> initialization failed.What it means?Can anynone help me out to solvethis
> issues?Is there any patches available? >