Solved

ISA 2004 denied connection, strange traffic

Posted on 2010-11-13
3
1,180 Views
Last Modified: 2012-05-10
Should I be worried when I see things like this in ISA? I know ISA blocked it, but could this be a clue to something worse, like a hacked server?

Denied Connection SERVER1 11/13/2010 3:19:35 PM
Log type: Web Proxy (Forward)
Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).  
Rule: Default rule
Source: External ( 178.63.21.130:0)
Destination: External ( 192.168.17.2:8080)
Request: GET http://ipadmin.ru/whois/?host=via-gra.eu&server=eu.whois-servers.net 
Filter information: Req ID: 17e1a776  
Protocol: http
User: anonymous
 Additional information
Client agent:
Object source: Processing time: 1
Cache info: 0x0 MIME type

HERE IS ANOTHER

Denied Connection SERVER1 11/13/2010 3:19:34 PM
Log type: Firewall service
Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer.
Rule:  
Source: External ( 188.16.109.253:4448)
Destination: Local Host ( 192.168.17.2:8080)
Protocol: HTTP Proxy
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 188.16.109.253
Client agent:
 

0
Comment
Question by:Perkdaddy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 34127302
No - ISA is just doing its job.
0
 

Author Comment

by:Perkdaddy
ID: 34127316
Keith I have literally 100's of these an hour... But when I change the monitoring direction to allowed connection it seems none are making it thru...

But there are some connections that seem "stuck" on Initiated connection. With what seems like no traffic in or out. Sorry, but me error logs have been going berserk lately with invalid log-ins from all over the EARTH!

I just get worried with ISA just sitting there, that at some point these sources of bad traffic may indeed compromise my system...

If a user has no access to remote access, is there anything I need to worry about if there username or pass gets hacked?

I have some users with VERY silly passwords... I cant configure the GPO to do anything except simple passwords or complex (10 digets, sybols, letter, CAPS, numbers). I what to configure it to force people to use 123 letter passwords with a blacklist of passes ie: 1111111, secret, mypasswrd etc.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34127340
That is a raft of 'I wants'.

Yes, I get lots too and the majority are simply errors.
By this I mean that it is poor configuration and management from non-educated users and administrators. Look at the destination IP addresses and port numbers.
The destination ip addresses are normally listed as being in the private address ranges such as 192.168.x.y or 172.16.x.y and the port number (8080 in your case) is a proxy address by default. The amount of people who take laptops out with proxy settings enabled and god-knows-what else configured - which work perfectly when they are on their local network - will cause all sorts of rogue traffic when they operate on hpome networks, wireless connections or elsewhere.

ISA's job is to only allow traffic in that is from an accepted source, using accepted protocols and with accepted credentials. EVERYTHING else gets dropped. However, ISA is also a full blown accredited firewall therefore it HAS to log these incidents.

ISA and the new version, Forefront TMG are some of the best firewalls in the world and they do what they say they do - they stop traffic that you have not allowed. Imagine what it must be like for the dopes who rely on their little adsl router for their protection?
0

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Make the most of your online learning experience.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question