Hi, The info below regarding the outbound connections are from an netstat -a test on the external ISA. That's what's worrying me! There's no evidence of anything actually being wrong internally... nobody is allowed outbound FTP and we aren't publishing any FTP servers via this particular ISA. Is there a way of an attacker disguising their address with another (e.g. ftp.compaq.com (161.114.1.254)? T O N Y J O H N S O N -----Original Message----- From: Joseph [mailto:cismic@xxxxxxx] Sent: 25 March 2002 10:48 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Repeated intrusion detection http://www.ISAserver.org As with most things FTP ports can be spoofed. I'm not sure if Compaq would be doing ftp to your site. You might want to not allow for ftp on ports 20 or 21 until you find out what may be the cause. Also, run NETSTAT -a on your External ISA machine and see if ports 20/21 are in use. Joseph -----Original Message----- From: t.johnson@xxxxxxxxxxxxxxx [mailto:t.johnson@xxxxxxxxxxxxxxx] Sent: Monday, March 25, 2002 1:09 AM To: [ISAserver.org Discussion List] Subject: [isalist] Repeated intrusion detection http://www.ISAserver.org I keep getting an intrusion detection alert from one of my ISAs, always from the address 161.114.1.254. This turns out to be ftp.compaq.com. On the server affected, I can see three outbound connections to 161.114.1.254:21 (two TIME_WAIT and one ESTABLISHED)and one outbound to 161.114.1.254:20 (ESTABLISHED). I am sure something nasty is going on, but my experience on these issues is limited. Can anyone tell me what's happening? ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: t.johnson@xxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the postmaster. It is issued on the basis that Cadogan Tate Limited disclaims all responsibility and accepts no liability for the consequences of any person acting, or refraining from acting on it. It must not be disseminated, copied, disclosed, modified, distributed and/or published without the express written authority of Cadogan Tate Limited This footnote also confirms that this email message has been swept for the presence of computer viruses. postmaster@xxxxxxxxxxxxxxx **********************************************************************