Strange Web Proxy forward traffic (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Firewall Client



Message


richstaples -> Strange Web Proxy forward traffic (23.Jun.2010 10:12:58 PM)

I recently had issue with a virus on a client machine. This machine is using the ISA firewall client software and behind an ISA Server 2004. The client is XPSP3. I find tons of traffic similar to the following - none of which is initiated by a user. In my example I have substituted the actual Domain Name and the Client Host Name in the "User" section. This appears in the Client Username Column in the ISA Logging and always contains the "$" after the actual Hostname. I also replaced the source IP address with "#" for this post.

Log type: Web Proxy (Forward)
Status: 200 OK
Rule: Web Access Only
Source: Internal ( ###.##.#.###:0)
Destination: External (i104.panamamails.com 213.163.89.104:80)
Request: GET http://213.163.89.104/TvF4xsJp606xnjs3Y2xrPTEuNyZiaWQ9NjQ0OGI1Mjg0YWQxZWJlYzY3MmJjYTIxOGQzMjc5ODQ5ODIxOGFhMSZhaWQ9MTAwOTYmc2lkPTAmcmQ9MTI3NTkyNzc1NA==28x
Filter information: Req ID: 07373aaf
Protocol: http
User: DOMAINNAME\HOSTNAME$
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 1.0.3705; .NET CLR 2.0.50727; .NE...
Object source: Internet Processing time: 2875
Cache info: 0x400005 MIME type: -

I cannot find anything running on the client and virus scans show clean. A netstat reveals no abnormal connections. I cannot find the source.

Any help is appreciated.




Page: [1]