Solved

ISA 2004 denied connection, strange traffic

Posted on 2010-11-13
3
1,141 Views
Last Modified: 2012-05-10
Should I be worried when I see things like this in ISA? I know ISA blocked it, but could this be a clue to something worse, like a hacked server?

Denied Connection SERVER1 11/13/2010 3:19:35 PM
Log type: Web Proxy (Forward)
Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).  
Rule: Default rule
Source: External ( 178.63.21.130:0)
Destination: External ( 192.168.17.2:8080)
Request: GET http://ipadmin.ru/whois/?host=via-gra.eu&server=eu.whois-servers.net
Filter information: Req ID: 17e1a776  
Protocol: http
User: anonymous
 Additional information
Client agent:
Object source: Processing time: 1
Cache info: 0x0 MIME type

HERE IS ANOTHER

Denied Connection SERVER1 11/13/2010 3:19:34 PM
Log type: Firewall service
Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer.
Rule:  
Source: External ( 188.16.109.253:4448)
Destination: Local Host ( 192.168.17.2:8080)
Protocol: HTTP Proxy
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 188.16.109.253
Client agent:
 

0
Comment
Question by:Perkdaddy
  • 2
3 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 34127302
No - ISA is just doing its job.
0
 

Author Comment

by:Perkdaddy
ID: 34127316
Keith I have literally 100's of these an hour... But when I change the monitoring direction to allowed connection it seems none are making it thru...

But there are some connections that seem "stuck" on Initiated connection. With what seems like no traffic in or out. Sorry, but me error logs have been going berserk lately with invalid log-ins from all over the EARTH!

I just get worried with ISA just sitting there, that at some point these sources of bad traffic may indeed compromise my system...

If a user has no access to remote access, is there anything I need to worry about if there username or pass gets hacked?

I have some users with VERY silly passwords... I cant configure the GPO to do anything except simple passwords or complex (10 digets, sybols, letter, CAPS, numbers). I what to configure it to force people to use 123 letter passwords with a blacklist of passes ie: 1111111, secret, mypasswrd etc.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34127340
That is a raft of 'I wants'.

Yes, I get lots too and the majority are simply errors.
By this I mean that it is poor configuration and management from non-educated users and administrators. Look at the destination IP addresses and port numbers.
The destination ip addresses are normally listed as being in the private address ranges such as 192.168.x.y or 172.16.x.y and the port number (8080 in your case) is a proxy address by default. The amount of people who take laptops out with proxy settings enabled and god-knows-what else configured - which work perfectly when they are on their local network - will cause all sorts of rogue traffic when they operate on hpome networks, wireless connections or elsewhere.

ISA's job is to only allow traffic in that is from an accepted source, using accepted protocols and with accepted credentials. EVERYTHING else gets dropped. However, ISA is also a full blown accredited firewall therefore it HAS to log these incidents.

ISA and the new version, Forefront TMG are some of the best firewalls in the world and they do what they say they do - they stop traffic that you have not allowed. Imagine what it must be like for the dopes who rely on their little adsl router for their protection?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now