I NeeD a Professional Help ! ISA

:roll:
Greetz ,
I need some Help analyzing the ISA firewall Log ... here is my case

i have a webserver Running www.XYZ.com

XYZ is Forwarded through ISA publishing to an ASP file that will Redirect the website to A virtual Directory . (response.redirect)

now one morning i was doing a normal Check on the websites And i have Found that www.XYZ.com was showing some text from some hacker who changed the contect of the .ASP file .

It was'nt realy a good hack , although the problem was one of the developers gave the write permession , BUT i realy want to know how he reach the .asp File which comes in a server after the ISA !!!

Now i have went through the log and noticed that some were trying to know the OS type and Some used WGET to download the contect of it have a look .

200.162.208.250 anonymous Microsoft Data Access Internet Publishing Provider Protocol Discovery
200.162.208.250 anonymous MSFrontPage/5.0
213.219.122.11 anonymous Wget/1.9.1
213.219.122.11 anonymous Sprint (safemode.org)
213.219.122.11 anonymous Sprint (safemode.org)
213.219.122.11 anonymous Wget/1.9.1

i know that this aint enough information but can u try figurin it out ?
and if u have some good Isa firewall Analyzer will ya show me where can i get it from ,

Yours ,
Moo

most likely he used a vulnerability in IIS.

I dont see how the firewall wouldve stopped the attack if access was already allowed to the asp page.

Can you detail the architecture and what happened in more depth.

Cheers

:shock:
oww yeah , the firewall wont stop the attack and thats for sure ,
he used port 80 , thats what it looks in the isa LoG files .
let me show you this .

200.162.208.250 anonymous Microsoft Data Access Internet Publishing Provider DAV 1.1 2004-07-26 06:02:21 ISAFEGEO01 - www.bahrainexplorer.com 172.20.4.10 80 609 235 4118 http PUT http://172.20.4.10/www.arplhmd.cjb.net_025451 Inet 403

Now that was the weirdest request i ever seen lol !
one of our Developers as i Quoted b4 enabled some features like Write Permessions and enabled Cgi Scripts as well when we did'nt need them .

my Question was . how is he able to do that even though the ISA server is the one sending and retrieving the requests ISA1 (DNS) .
the hacker Does'nt have a direct access to the Webserver , im getting confuesed with ISA , cisco PIX was much easier and Safer .

Yourz , :roll:
Moo

P.S the webserver was updated with latest Patches + sp4 .

hi

well as far as i know isa is bearing an external ip address and an internal ip address. everytime that a user wishes to access say an email server, or in your case a web server, to the one accessing the site, the external ip address will be shown to the end user. then the job of the isa is to redirect the requesting party to the appropriate internal ip address of the web server. unless isa is properly configured to not allow anonymous connection with privileges, then anyone who gains access to you site could have the power to alter it according to their preference since according to you, your developers created the site with read, write permissions which is i believe is a no no...but anyway try to look at your isa server, and make sure that it functions not only as a proxy server but also a firewall as well...

hope that this have help..