Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ISA 2004 denied connection, strange traffic

Posted on 2010-11-13
3
Medium Priority
?
1,190 Views
Last Modified: 2012-05-10
Should I be worried when I see things like this in ISA? I know ISA blocked it, but could this be a clue to something worse, like a hacked server?

Denied Connection SERVER1 11/13/2010 3:19:35 PM
Log type: Web Proxy (Forward)
Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).  
Rule: Default rule
Source: External ( 178.63.21.130:0)
Destination: External ( 192.168.17.2:8080)
Request: GET http://ipadmin.ru/whois/?host=via-gra.eu&server=eu.whois-servers.net 
Filter information: Req ID: 17e1a776  
Protocol: http
User: anonymous
 Additional information
Client agent:
Object source: Processing time: 1
Cache info: 0x0 MIME type

HERE IS ANOTHER

Denied Connection SERVER1 11/13/2010 3:19:34 PM
Log type: Firewall service
Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer.
Rule:  
Source: External ( 188.16.109.253:4448)
Destination: Local Host ( 192.168.17.2:8080)
Protocol: HTTP Proxy
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 188.16.109.253
Client agent:
 

0
Comment
Question by:Perkdaddy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 34127302
No - ISA is just doing its job.
0
 

Author Comment

by:Perkdaddy
ID: 34127316
Keith I have literally 100's of these an hour... But when I change the monitoring direction to allowed connection it seems none are making it thru...

But there are some connections that seem "stuck" on Initiated connection. With what seems like no traffic in or out. Sorry, but me error logs have been going berserk lately with invalid log-ins from all over the EARTH!

I just get worried with ISA just sitting there, that at some point these sources of bad traffic may indeed compromise my system...

If a user has no access to remote access, is there anything I need to worry about if there username or pass gets hacked?

I have some users with VERY silly passwords... I cant configure the GPO to do anything except simple passwords or complex (10 digets, sybols, letter, CAPS, numbers). I what to configure it to force people to use 123 letter passwords with a blacklist of passes ie: 1111111, secret, mypasswrd etc.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34127340
That is a raft of 'I wants'.

Yes, I get lots too and the majority are simply errors.
By this I mean that it is poor configuration and management from non-educated users and administrators. Look at the destination IP addresses and port numbers.
The destination ip addresses are normally listed as being in the private address ranges such as 192.168.x.y or 172.16.x.y and the port number (8080 in your case) is a proxy address by default. The amount of people who take laptops out with proxy settings enabled and god-knows-what else configured - which work perfectly when they are on their local network - will cause all sorts of rogue traffic when they operate on hpome networks, wireless connections or elsewhere.

ISA's job is to only allow traffic in that is from an accepted source, using accepted protocols and with accepted credentials. EVERYTHING else gets dropped. However, ISA is also a full blown accredited firewall therefore it HAS to log these incidents.

ISA and the new version, Forefront TMG are some of the best firewalls in the world and they do what they say they do - they stop traffic that you have not allowed. Imagine what it must be like for the dopes who rely on their little adsl router for their protection?
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question