Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Kevin Williams (kwilliamssark.com)
Date: Wed Sep 19 2001 - 10:27:18 CDT
I've got local web sessions showing up in ISA server with foreign (outside
my LAN) IP addresses. I run a network scan on each IP that shows up, and
they all seem to be infected with Nimda.A. This seems to be an obvious bug
in ISA, but I can't quite figure it out.
All our IIS boxes are hardened and patched, and we're not infected. The ISA
server is configured to not allow un-authenticated web sessions. I'm
assuming these are SecureNAT sessions where the IP of our ISA server is
spoofed as the gateway of the remote machine, but it still doesn't quite
Anyone have any ideas? I know others are having the same thing, because I've
been in the various microsoft.public.isaserver.* newsgroups, but nobody is
getting any answers. Microsoft, what's up?
Kevin D. Williams, MCP
Network Administrator / Infrastructure Specialist / Consultant
Software Architects, Inc.