Hot Downloads

×

Notice

The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1

TOPIC: I NeeD a Professional Help ! ISA

I NeeD a Professional Help ! ISA 13 years 11 months ago #4544

  • MooDy
  • MooDy's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 4
  • Thank you received: 0
:roll:
Greetz ,
I need some Help analyzing the ISA firewall Log ... here is my case

i have a webserver Running www.XYZ.com

XYZ is Forwarded through ISA publishing to an ASP file that will Redirect the website to A virtual Directory . (response.redirect)

now one morning i was doing a normal Check on the websites And i have Found that www.XYZ.com was showing some text from some hacker who changed the contect of the .ASP file .

It was'nt realy a good hack , although the problem was one of the developers gave the write permession , BUT i realy want to know how he reach the .asp File which comes in a server after the ISA !!!

Now i have went through the log and noticed that some were trying to know the OS type and Some used WGET to download the contect of it have a look .

200.162.208.250 anonymous Microsoft Data Access Internet Publishing Provider Protocol Discovery
200.162.208.250 anonymous MSFrontPage/5.0
213.219.122.11 anonymous Wget/1.9.1
213.219.122.11 anonymous Sprint (safemode.org)
213.219.122.11 anonymous Sprint (safemode.org)
213.219.122.11 anonymous Wget/1.9.1

i know that this aint enough information but can u try figurin it out ?
and if u have some good Isa firewall Analyzer will ya show me where can i get it from ,

Yours ,
Moo

Re: I NeeD a Professional Help ! ISA 13 years 11 months ago #4558

most likely he used a vulnerability in IIS.

I dont see how the firewall wouldve stopped the attack if access was already allowed to the asp page.

Can you detail the architecture and what happened in more depth.

Cheers

Re: I NeeD a Professional Help ! ISA 13 years 11 months ago #4566

  • MooDy
  • MooDy's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 4
  • Thank you received: 0
:shock:
oww yeah , the firewall wont stop the attack and thats for sure ,
he used port 80 , thats what it looks in the isa LoG files .
let me show you this .

200.162.208.250 anonymous Microsoft Data Access Internet Publishing Provider DAV 1.1 2004-07-26 06:02:21 ISAFEGEO01 - www.bahrainexplorer.com 172.20.4.10 80 609 235 4118 http PUT http://172.20.4.10/www.arplhmd.cjb.net_025451 Inet 403

Now that was the weirdest request i ever seen lol !
one of our Developers as i Quoted b4 enabled some features like Write Permessions and enabled Cgi Scripts as well when we did'nt need them .

my Question was . how is he able to do that even though the ISA server is the one sending and retrieving the requests ISA1 (DNS) .
the hacker Does'nt have a direct access to the Webserver , im getting confuesed with ISA , cisco PIX was much easier and Safer .

Yourz , :roll:
Moo

P.S the webserver was updated with latest Patches + sp4 .

Re: I NeeD a Professional Help ! ISA 13 years 11 months ago #4579

  • jhun
  • jhun's Avatar
  • Offline
  • Senior Member
  • Senior Member
  • Posts: 356
  • Thank you received: 0
hi

well as far as i know isa is bearing an external ip address and an internal ip address. everytime that a user wishes to access say an email server, or in your case a web server, to the one accessing the site, the external ip address will be shown to the end user. then the job of the isa is to redirect the requesting party to the appropriate internal ip address of the web server. unless isa is properly configured to not allow anonymous connection with privileges, then anyone who gains access to you site could have the power to alter it according to their preference since according to you, your developers created the site with read, write permissions which is i believe is a no no...but anyway try to look at your isa server, and make sure that it functions not only as a proxy server but also a firewall as well...

hope that this have help..
  • Page:
  • 1
Time to create page: 0.136 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup