I wonder if it might be an issue with ISA? I'll have to research the exploit and see if what the deal is. Thanks! Tom www.isaserver.org/shinder -----Original Message----- From: Joseph [mailto:cismic@xxxxxxx] Sent: Friday, March 01, 2002 3:54 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Whacky Log file tricks http://www.ISAserver.org It is wacky alright. Interesting that GHBN used to be a big issue with AIX machines that allowed users to gain access to those boxes. Joseph -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Friday, March 01, 2002 1:46 PM To: [ISAserver.org Discussion List] Subject: [isalist] Whacky Log file tricks http://www.ISAserver.org Hey guys, Here's a whacky log file finding: 192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:01, -, -, -, law8.oe.hotmail.com, 216.33.240.253, 0, 80, 0, 0, -, -, GHBN, -, -, -, 0, -, NNTP-TACTEAM, Allow Auth Users, 773, 0 192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:01, -, -, -, -, 216.33.240.253, 80, 10, 0, 0, 80, TCP, Connect, -, -, -, 0, -, All Open Users, -, 773, 9461 192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:01, -, -, -, -, 216.33.240.253, 80, 10, 0, 0, 80, TCP, Connect, -, -, -, 0, -, All Open Users, -, 773, 9461 192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:01, -, -, -, law8.oe.hotmail.com, 216.33.240.253, 0, -, 0, 0, -, -, GHBN, -, -, -, 0, -, NNTP-TACTEAM, Allow Auth Users, 773, 0 192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:01, -, -, -, -, 216.33.240.253, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, -, All Open Users, -, 773, 9462 192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:01, -, -, -, -, 216.33.240.253, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, -, All Open Users, -, 773, 9462 192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:02, -, -, -, law8.oe.hotmail.com, 216.33.240.253, 0, -, 0, 0, -, -, GHBN, -, -, -, 0, -, NNTP-TACTEAM, Allow Auth Users, 773, 0 192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:02, -, -, -, -, 216.33.240.253, 80, 10, 0, 0, 80, TCP, Connect, -, -, -, 0, -, All Open Users, -, 773, 9463 192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:02, -, -, -, -, 216.33.240.253, 80, 10, 0, 0, 80, TCP, Connect, -, -, -, 0, -, All Open Users, -, 773, 9463 192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:03, -, -, -, law8.oe.hotmail.com, 216.33.240.253, 0, -, 0, 0, -, -, GHBN, -, -, -, 0, -, NNTP-TACTEAM, Allow Auth Users, 773, 0 The NNTP-TACTEAM rule is a Server Publishing Rule for a NNTP server on the internal network. The 192.168.1.8 is my workstation. Why would GHBN use inbound TCP 119? Log files are certainly fun! Tom www.isaserver.org/shinder ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')