Re: www.worm.com in ISA Logs

• From: "Jim Harrison" <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 21 Feb 2002 07:08:19 -0800

The good news is:
1. all the requests came from outside (W3ReverseProxy), so you don't seem to
have an infected machine inside
2. all the requests (www = Nimda, www.worm.com = Code Red) were rejected by
ISA (12202 and 12005)

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!

----- Original Message -----
From: "Morvan Daniel Muller" <morvan@xxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, February 20, 2002 13:39
Subject: [isalist] www.worm.com in ISA Logs


http://www.ISAserver.org





----------------------------------------------------------------------------
----


Hello!

I found in my ISA Logs "www.worm.com" ...

It mean that my ISA box was compromised, or was used to attack other
machines
on the internet?

Log attached "WEBEXTD20020212.log" - 26 Kbytes.

PS:
Server99 is my ISA's box hostname!
On my ISA box, I have ISA sp1 applied and the last patch
"w2kSP2SRollUPack1.exe" for win2000 server.


Morvan.


----------------------------------------------------------------------------
----


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » www.worm.com in ISA Logs
• » RE: www.worm.com in ISA Logs
• » Re: www.worm.com in ISA Logs

1. Home
2. isalist
3. Archive
4. 02-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---