Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Strange entries in Top Users section on Reports
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Strange entries in Top Users section on Reports - 17.Feb.2006 3:49:31 PM
|
|
|
Ashokk001
Posts: 232
Joined: 6.Oct.2005
Status: offline
|
Hi All,
We are rujnning ISA Server 2004 SP1 on a W2k3 SP1 and we noticed a strange entries in the top users listing. It list IPs which is not in our internal range at all. Here's two IP address that were listed in the TOP user section:
194.238.48.90
86.14.243.66
Does this mean that our server is hacked?? In the previous reports i have not noticed any strange entries like this. The report is automatically generated and its a weekly generated reports that is scheduled for 00:30.
Any thoughts??
TIA,
Ashok.
|
|
|
|
|
RE: Strange entries in Top Users section on Reports - 19.Feb.2006 3:19:38 PM
|
|
|
Ashokk001
Posts: 232
Joined: 6.Oct.2005
Status: offline
|
Anyone?
|
|
|
|
|
RE: Strange entries in Top Users section on Reports - 19.Feb.2006 3:50:38 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
Instead of relying on someone else's interpretaion of your report, I suggest you analyze the live logging on your ISA server to determine the true source and nature of those IPs.
I don't know if "hacked" is the right term, but a misconfigured ISA (AKA open proxy) may allow someone to relay off of your ISA.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: Strange entries in Top Users section on Reports - 19.Feb.2006 6:57:09 PM
|
|
|
Ashokk001
Posts: 232
Joined: 6.Oct.2005
Status: offline
|
Hi LLigetfa,
Yes I was going to do this but i found out this at the end of the day and thought i quickly post this info. My plan i to look at the Logs on Monday morning to find out what is happening. Still new to the firewall and ISA game, can you tell me what is a open proxy and if possible and suggestions on making it a closed proxy?
TIA,
Ashok.
|
|
|
|
|
RE: Strange entries in Top Users section on Reports - 19.Feb.2006 7:16:02 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
Open proxy is when people on the internet get access to your WP listener.
http://forums.isaserver.org/m_2002007576/tm.htm#2002007610
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: Strange entries in Top Users section on Reports - 19.Feb.2006 8:04:24 PM
|
|
|
Ashokk001
Posts: 232
Joined: 6.Oct.2005
Status: offline
|
Hi there,
Thanks for the info, i'll check it out. I did a nslookup on the two IP addresses and one of them is our remote support provider for our servers and i know he used the server to get the drivers for the SCSI card when we had some problems with out servers.
The remote support uses NetOp (UDP 617) in a recieve Send mode. The other one is the interesting one and i need to find out from the logs on what was happening. We also got the surf control logs so that should tell us where they were going. Right the morning's gonna be a busy one :)
Doesn't the WP listener need to be open inbound for us to be an open proxy server?. As far as i can tell we have not a got a single rule that is allowing HTTP inbound. A few web publishing rules but they are all using HTTPS with the relevant certificates, so don't know what it is.
Ashok.
|
|
|
|
|
RE: Strange entries in Top Users section on Reports - 20.Feb.2006 10:13:39 AM
|
|
|
Ashokk001
Posts: 232
Joined: 6.Oct.2005
Status: offline
|
Hi there,
I have checked all the logs and it seems that the IPS are from external users who are accessing the OWA site and one of thw web published site. The thing is why are these appearing in the "Top" users section as i thought this only shows the users internally? I could be wrong. Looks like all those strange IPs are actually users home computers IP addresses as all of them are using either OWA service or the web application that we have published.
Is this a bug in the ISA reporting. The only thing i can remember is that i've applied all the latest windows updates to the base OS. Not applied SP2 for ISA 2004 yet.
Ashok.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
