Solved

ISA 2004 denied connection, strange traffic

Posted on 2010-11-13
3
1,165 Views
Last Modified: 2012-05-10
Should I be worried when I see things like this in ISA? I know ISA blocked it, but could this be a clue to something worse, like a hacked server?

Denied Connection SERVER1 11/13/2010 3:19:35 PM
Log type: Web Proxy (Forward)
Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).  
Rule: Default rule
Source: External ( 178.63.21.130:0)
Destination: External ( 192.168.17.2:8080)
Request: GET http://ipadmin.ru/whois/?host=via-gra.eu&server=eu.whois-servers.net 
Filter information: Req ID: 17e1a776  
Protocol: http
User: anonymous
 Additional information
Client agent:
Object source: Processing time: 1
Cache info: 0x0 MIME type

HERE IS ANOTHER

Denied Connection SERVER1 11/13/2010 3:19:34 PM
Log type: Firewall service
Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer.
Rule:  
Source: External ( 188.16.109.253:4448)
Destination: Local Host ( 192.168.17.2:8080)
Protocol: HTTP Proxy
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 188.16.109.253
Client agent:
 

0
Comment
Question by:Perkdaddy
  • 2
3 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 34127302
No - ISA is just doing its job.
0
 

Author Comment

by:Perkdaddy
ID: 34127316
Keith I have literally 100's of these an hour... But when I change the monitoring direction to allowed connection it seems none are making it thru...

But there are some connections that seem "stuck" on Initiated connection. With what seems like no traffic in or out. Sorry, but me error logs have been going berserk lately with invalid log-ins from all over the EARTH!

I just get worried with ISA just sitting there, that at some point these sources of bad traffic may indeed compromise my system...

If a user has no access to remote access, is there anything I need to worry about if there username or pass gets hacked?

I have some users with VERY silly passwords... I cant configure the GPO to do anything except simple passwords or complex (10 digets, sybols, letter, CAPS, numbers). I what to configure it to force people to use 123 letter passwords with a blacklist of passes ie: 1111111, secret, mypasswrd etc.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34127340
That is a raft of 'I wants'.

Yes, I get lots too and the majority are simply errors.
By this I mean that it is poor configuration and management from non-educated users and administrators. Look at the destination IP addresses and port numbers.
The destination ip addresses are normally listed as being in the private address ranges such as 192.168.x.y or 172.16.x.y and the port number (8080 in your case) is a proxy address by default. The amount of people who take laptops out with proxy settings enabled and god-knows-what else configured - which work perfectly when they are on their local network - will cause all sorts of rogue traffic when they operate on hpome networks, wireless connections or elsewhere.

ISA's job is to only allow traffic in that is from an accepted source, using accepted protocols and with accepted credentials. EVERYTHING else gets dropped. However, ISA is also a full blown accredited firewall therefore it HAS to log these incidents.

ISA and the new version, Forefront TMG are some of the best firewalls in the world and they do what they say they do - they stop traffic that you have not allowed. Imagine what it must be like for the dopes who rely on their little adsl router for their protection?
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
f5 Persistence 14 63
Tagged Vlan traffic does not seem to reach DHCP server (and/or possibly back again) 2 67
Lightweight Networking 9 61
xss alert in domino url 9 35
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question