Link to home
Create AccountLog in
Avatar of Perkdaddy
Perkdaddy

asked on

ISA 2004 denied connection, strange traffic

Should I be worried when I see things like this in ISA? I know ISA blocked it, but could this be a clue to something worse, like a hacked server?

Denied Connection SERVER1 11/13/2010 3:19:35 PM
Log type: Web Proxy (Forward)
Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).  
Rule: Default rule
Source: External ( 178.63.21.130:0)
Destination: External ( 192.168.17.2:8080)
Request: GET http://ipadmin.ru/whois/?host=via-gra.eu&server=eu.whois-servers.net 
Filter information: Req ID: 17e1a776  
Protocol: http
User: anonymous
 Additional information
Client agent:
Object source: Processing time: 1
Cache info: 0x0 MIME type

HERE IS ANOTHER

Denied Connection SERVER1 11/13/2010 3:19:34 PM
Log type: Firewall service
Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer.
Rule:  
Source: External ( 188.16.109.253:4448)
Destination: Local Host ( 192.168.17.2:8080)
Protocol: HTTP Proxy
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 188.16.109.253
Client agent:
 

ASKER CERTIFIED SOLUTION
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of Perkdaddy
Perkdaddy

ASKER

Keith I have literally 100's of these an hour... But when I change the monitoring direction to allowed connection it seems none are making it thru...

But there are some connections that seem "stuck" on Initiated connection. With what seems like no traffic in or out. Sorry, but me error logs have been going berserk lately with invalid log-ins from all over the EARTH!

I just get worried with ISA just sitting there, that at some point these sources of bad traffic may indeed compromise my system...

If a user has no access to remote access, is there anything I need to worry about if there username or pass gets hacked?

I have some users with VERY silly passwords... I cant configure the GPO to do anything except simple passwords or complex (10 digets, sybols, letter, CAPS, numbers). I what to configure it to force people to use 123 letter passwords with a blacklist of passes ie: 1111111, secret, mypasswrd etc.
That is a raft of 'I wants'.

Yes, I get lots too and the majority are simply errors.
By this I mean that it is poor configuration and management from non-educated users and administrators. Look at the destination IP addresses and port numbers.
The destination ip addresses are normally listed as being in the private address ranges such as 192.168.x.y or 172.16.x.y and the port number (8080 in your case) is a proxy address by default. The amount of people who take laptops out with proxy settings enabled and god-knows-what else configured - which work perfectly when they are on their local network - will cause all sorts of rogue traffic when they operate on hpome networks, wireless connections or elsewhere.

ISA's job is to only allow traffic in that is from an accepted source, using accepted protocols and with accepted credentials. EVERYTHING else gets dropped. However, ISA is also a full blown accredited firewall therefore it HAS to log these incidents.

ISA and the new version, Forefront TMG are some of the best firewalls in the world and they do what they say they do - they stop traffic that you have not allowed. Imagine what it must be like for the dopes who rely on their little adsl router for their protection?