Welcome to ISAserver.org

Strange record in my ISA Server LOG! Hacker?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 General] >> General >> Strange record in my ISA Server LOG! Hacker?

Page: [1]

Message

<< Older Topic Newer Topic >>

Strange record in my ISA Server LOG! Hacker? - 15.Mar.2002 5:26:00 AM

xadave

Posts: 21
Joined: 25.Oct.2001
Status: offline

Hi, I found some strange record in our ISA Server Web Proxy LOG, such as below:

202.38.245.249, anonymous, Mozilla/4.0 (compatible; MSIE 4.01; Windows 95), N, 3/15/2002, 0:11:50, W3ReverseProxy, PROXYSERVER, -, www.ebay.com, -, 0, 0, 149, 0, -, -, GET, http://www.ebay.com/, -, -, 12202, -, Default rule, -

The IP(202.38...) is not private IP of our LAN user! Does this mean that some hackers have attacked at our ISA Server and have controled it?
I am not clear about these records. Any help? Thanks.
David

Post #: 1

Featured Links*

RE: Strange record in my ISA Server LOG! Hacker? - 15.Mar.2002 6:51:00 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi David,

That's pretty interesting, because someone sent a request to your Incoming Web Requests listener for www.ebay.com! I wonder how your ISA Server got associated with ebay? Probably some cache poisoning somewhere?

I'd keep an eye on it!

HTH,
Tom

(in reply to xadave)

Post #: 2

RE: Strange record in my ISA Server LOG! Hacker? - 17.Mar.2002 2:03:00 AM

chzhed

Posts: 5
Joined: 11.Mar.2002
Status: offline

Yea, definately keep an eye on that... Here is the ownership info for the IP in that log:

inetnum: 202.38.192.0 - 202.38.255.255
netname: SCUT-CN
descr: ~{;*DO@m9$4sQ'~}
descr: South China University of Technology
descr: Guangzhou, Guangdong 510641, China
country: CN
admin-c: LZ1-CN
tech-c: LZ1-CN
notify: dbmon@apnic.net
changed: hostmaster@apnic.net 19940908
source: APNIC

(in reply to xadave)