Late night or Early Morning Logon? Am I being hacked?? Please Help

[ftoddt]

Have been having some problems on the LAN. The most noticeable is have printer with thousands of print jobs that were initiated by a user in the middle of the night that is a valid user but not here. Looking on the event viewer of the ISA sever. I see a lot of 11PM and 4AM logon by ANONYMOUS LOGON that then gets special privleges assigned to new logon in the next event window. Then I get a user name called "Domain"-ISA$. Some of my 4am logon/logoff entrys apply to a user called
Not sure where to start. I have norton enterprise, and possilbly one other websense application that may access the internet for updates but that is all I know of. I have no web server behind the ISA but do have a dual nic exchange server that is open to the WAN side but transmits thru the isa side which I hopefully will correct today and put it totally behind the isa server.
Any suggestions as to what to do. I have looked over my domain controllers and cannot find any users called anonymous or my domain - isa$.
Please help.
Thanks
Todd

 

[nhidalgo]

I would start with a virus scan on the isa server and the exchange server. So you have 2 points of entrance into your lan, the isa and exchange. I would first put the exchange server completely behind isa, so you only have one point of entrance from the internet. Make sure you have strong admin passwords. Also check you ip packet filters for anything that might not be needed.

Nick

 

[ftoddt]

How does one check packet filters and how does one determine what is needed and what is not. Did not get the exchange behind the isa, will have to study some more. Not sure I understand diable socket pooling on the isa.
Thanks

 

[nhidalgo]

Open isa manger. go to access policy, then right click on ip packet filters, choose properties. Enable packet filtering. I put a check in everything an all tabs. you may want to do this also. This will block any incomming connections to the isa server unless you specify allow packet filters. Putting exchange behind isa is pretty simple. First you must change your mx record to point to the isa server for internet mail(contact your isp). Then disable you WAN nic on your mail server. Set the default gateway on the internal nic on the exchange server to the internal ip of your isa server. Make sure dns resolution from the exchange server still works.

Open isa manager, goto server publishing, right click and click secure mail server. the just follow the wizzard. That is pretty much it. This will make you exchange server much more secure.


Nick

 

[ftoddt]

Nick,
All tabs were checked already except for under Packet Filters the "Log packets from 'Allow' filters. And the one called PPTP in that tab there is only one to be checked and it is "PPTP through ISA firewall" that is not checked. Should I do those. I also found some research about a IIS5.0 problem and if you are running it that a hacker can come in thru port 80 or the 443 and get you. I had a web server up running IIS 5.0 but am unsure if all the servers are running IIS 5.0 since I see in sevices that IIS is running.. The web server is down and only lan to the internal system at this time until I can configure it behind the ISA. This IIs 5.0 problem has a patch which I tried to apply but said no due to the I had a more recent SP4 update applied. I was getting print jobs galore and it was from allow internet print jobs I believe which I have deativated on all servers..
I have to leave this problem for a few days ...

Thanks,
Todd

 

[ftoddt]

Still in need of help. Looking over event view on ISA under Security. I see numerous Success Audit ANONYMOUS LOGON Logon/Logoff event 538 and Privlege Use event 576 late at night when no one is here. I am also finding viruses being picked up by antivirus within a minute after. How do I stop this Anonymous Logon to the ISA server. There are also some where the user is SYSTEM.
I really feel I need to block these.