RE: Whacky Log file tricks
- From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 1 Mar 2002 16:21:53 -0600
I wonder if it might be an issue with ISA? I'll have to research the
exploit and see if what the deal is.
Thanks!
Tom
www.isaserver.org/shinder
-----Original Message-----
From: Joseph [mailto:cismic@xxxxxxx]
Sent: Friday, March 01, 2002 3:54 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Whacky Log file tricks
http://www.ISAserver.org
It is wacky alright. Interesting that GHBN used to be a big issue with
AIX machines that allowed users to gain access to those boxes.
Joseph
-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Friday, March 01, 2002 1:46 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Whacky Log file tricks
http://www.ISAserver.org
Hey guys,
Here's a whacky log file finding:
192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:01, -, -,
-, law8.oe.hotmail.com, 216.33.240.253, 0, 80, 0, 0, -, -, GHBN, -, -,
-, 0, -, NNTP-TACTEAM, Allow Auth Users, 773, 0
192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:01, -, -,
-, -, 216.33.240.253, 80, 10, 0, 0, 80, TCP, Connect, -, -, -, 0, -, All
Open Users, -, 773, 9461
192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:01, -, -,
-, -, 216.33.240.253, 80, 10, 0, 0, 80, TCP, Connect, -, -, -, 0, -, All
Open Users, -, 773, 9461
192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:01, -, -,
-, law8.oe.hotmail.com, 216.33.240.253, 0, -, 0, 0, -, -, GHBN, -, -, -,
0, -, NNTP-TACTEAM, Allow Auth Users, 773, 0
192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:01, -, -,
-, -, 216.33.240.253, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, -, All
Open Users, -, 773, 9462
192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:01, -, -,
-, -, 216.33.240.253, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, -, All
Open Users, -, 773, 9462
192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:02, -, -,
-, law8.oe.hotmail.com, 216.33.240.253, 0, -, 0, 0, -, -, GHBN, -, -, -,
0, -, NNTP-TACTEAM, Allow Auth Users, 773, 0
192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:02, -, -,
-, -, 216.33.240.253, 80, 10, 0, 0, 80, TCP, Connect, -, -, -, 0, -, All
Open Users, -, 773, 9463
192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:02, -, -,
-, -, 216.33.240.253, 80, 10, 0, 0, 80, TCP, Connect, -, -, -, 0, -, All
Open Users, -, 773, 9463
192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:03, -, -,
-, law8.oe.hotmail.com, 216.33.240.253, 0, -, 0, 0, -, -, GHBN, -, -, -,
0, -, NNTP-TACTEAM, Allow Auth Users, 773, 0
The NNTP-TACTEAM rule is a Server Publishing Rule for a NNTP server on
the internal network. The 192.168.1.8 is my workstation. Why would GHBN
use inbound TCP 119?
Log files are certainly fun!
Tom
www.isaserver.org/shinder
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
