Help - Search - Members - Calendar
Full Version: What would you say this ISA log is saying?
Neowin Forums > Windows Support > Windows NT4/2000/2003/2008 Server
JJ6829
Jan 3 2005, 03:06
Hi, I found the following in the firewall service log for ISA, this goes on for most of the day in the same periodic fashion.

[attachmentid=103604]

As you can see, 192.168.100.121 (workstation with apache on it for our SVN), tries to access 192.168.1.24, 192.168.1.22, 196.168.0.111, and 192.168.1.103. The problem is, our DHCP pool is from 192.168.1.100 to .255, meaning the IP's are part of a LAN, but not our LAN. (103 is dedicated to a WAN Miniport according to the DHCP manager). All the requests are on the SNMP port, 161.

During this time, I ran a tool from MS for interpreting event logs and it looks like someone was trying out a bunch of default usernames and passwords to get in; times corresponding to the events in the first log.

[attachmentid=103603]

When i scan 192.168.100.121, 161 is not open, and the SBSSERVER only has 5 ports open, all which are needed and wouldn't interfere.

(SBSSERVER is running Exchange, ISA, WUS, AD, and is actign as a fileserver, as its an SBS2003 server; 192.168.100.121 is a workstation thats part of the domain managed by SBSSERVER).

WAN -> SBSSERVER (LAN) -> SWITCH -> WORKSTATIONS
Eversurf
Jan 4 2005, 18:25
Could it be a printer? Can you ping those devices you are talking about?

Did you change any passwords recently? It might be a service trying to access some resources.
JJ6829
Jan 4 2005, 19:06
Can't ping it and it's not a printer, because its the same pattern everytime. (same IP's and same order).

I dont hthink it has to do with passwords, because the IP's don't exist and never have.


JJ6829
Jan 5 2005, 15:41
Alright, ran a capture on the LAN and WAN interfaces.

On the LAN, the .121 was talking to the above IP's on TCP 9100 and then on SNMP (port 161 UDP). On the WAN interface, the 5 unknown IP's were somehow talking over SNMP again, but none of my other internal IP's had any entry in this capture.

I'm wondering about http://lists.virus.org/dshield-0302/msg00243.html though.

e4ymod
Jan 5 2005, 15:47
check to see if those addresses are on your LAT
Eversurf
Jan 5 2005, 18:05
Disable SNMP on the device and I'm pretty sure that port 9100 is a printer port
JJ6829
Jan 5 2005, 21:53
I think I already figured part of it out (the 9100 part).. it seems the .121 computer used to be a print shop server, and had a bunch of different printers connected to it, but their ports were never deleted.

Thanks guys.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.