From: Spokane, WA USA
I know it doesn't sound possible, but check your ISA logs for PC's (primarily w2k or winxp) that are flooding your ISA Server with requests on specific ports. Also..your ISA Server itself could get infected by this worm. Get the removal tool from Symantec if nothing else (very small file) and run it on the server and pc's. MS has a patch out to fix the hole as well.
I posted this on here twice! I have this problem for about three weeks now. I've run a sniffer and the only thing I can find is that my router mac address shows up..I'm new to ISA and I'm having a hard time fixing this..It seems alot of people have started getting this but no one has any real advice. None of our pcs have any worms..Please someone help! I get at least 2 of these a day at random times, no pattern and no repeating times (even late at night when no one's even at work). ISA Server detected a well-known port scan attack from Internet Protocol (IP) address 127.0.0.1. A well-known port is any port in the range of 1-2048. For more information about this event, see ISA Server Help.
Yes I does seem to be occurring alot..Funny that it just started a few weeks ago, I'm glad I'm not the only one, but this is getting old quick. I get paged several times a day & night regarding 'spoof attack'. We ran the Ethereal sniffer and it seems to not shine any light on the situation. Has any been able to fix this yet??????? Can you share your secret???
We don't have internal email servers, our users connect to an ISP with outlook.
Yes I would say that I followed the MS recommendations for blaster and created the protocols to block the worm and also applied the patches. My ISA server itself does not have any viruses on it. It's Win2k SP4.
Also randomly having this problem (for last 3 days). Had changed nothing prior to the problem starting on Monday.
What else is wierd: For 3 days last week, had the same spoof attack, but eventviewer claimed it was coming from 192.168.1.9 (one of my internal addresses). It was also happening on an every-4-hour schedule.
What else is wierd: The last 2 Friday nights, the internal port on my Cisco router appeared to lock up...but not sure if it was really that, or the external interface to the ISA server.
I just find out that it could be the spam mail problem. I have found the ip220.127.116.11 from netstat, and find out from the blacklist spam mailserver (www.declude.com). Hopefully that helps. I hope others have the same problem will try it out.
No body else has any words of wisdom? It seems ALOT of people are experiencing this...is anyone as frustrated as I am that you've tried to look at everything and you're still getting pages from your isaserver all day and night??? PLEASE HELP if you know how to fix this! I've done everything that everyone's suggested..we have no internal worms!
I was looking through the ISA newsgroup over at http://support.microsoft.com/newsgroups/default.aspx. Just like here...there are probably 20 or more separate threads about this issue. The only thing I saw over there that looks like a possible cause, is the fact that this just recently started happening (since people started applying the latest critical security patches). If there is someone who has "not" applied the new patches, then that would rule it out. The problem started for me about 3 days after patching. This could well be a new bug caused by the patch. Any thoughts?
Basically it's the blaster worm attempting tohit your external IP, IS tries to respond to a sitename which resolves to 127.0.0.1. It 'appears' to have been related to critical patches purely due to timing of the blaster worm's release. End result: There's bugger all you can do about it at this point in time, but there's nothign to fear, ISA is detecting the action (as impotent as ti may be in this case) and all's fine. This may only be a problem if you haev port scan alerts set to fire off other functions like deny filters which could essentially cause a denial of service aaginst yourself!
I have two ISA's give me the same problem after I installed hotfix for blaster. The one in head office gives the alert ( port scan) every fews days: 127.0.0.1 X.X.X.X Tcp 80 1567 RST ACK BLOCKED X.X.X.X
The one in branch office generates (IP Spoof)every few hours: 127.0.0.1 X.X.X.X Tcp 80 1437 Spoof X.X.X.X
Since everyone is not experiencing this, we all must have some configuration issue in common.
Two recent changes I've made is that I've changed from web publishing our Exchange server to server publishing it. The other change is installing Microsoft's latest security patches. I haven't set up our ISA server to access the WWW, so I have to download the patches to another server on our network, copy them over and then run them on the ISA server.
I was just wondering if any others have similar circumstances.
If this problem continues into next weekend, I'm considering removing the latest security patches or changing the Exchange publishing to see if it solves it.