Re: ISA Server Report - "Traffic By Users - Bytes Out" > External?

Tech-Archive recommends: Fix windows errors by optimizing your registry

Will do, thanks.

"Steve" <newsgroup@xxxxxxxxxx> wrote in message
news:ef20OC3$GHA.3560@xxxxxxxxxxxxxxxxxxxxxxx
Looks like you're doing all you can to try to track this down. Remember
with live logging you can copy to the clipboard and then into Notepad or
even Excel to be able to better view it.

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:%23vgZBn2$GHA.1196@xxxxxxxxxxxxxxxxxxxxxxx
Am running a live log now and will stop it for review in a while. I
reviewed the ISA log for yesterday (11/2) and saw a whopping ~700 MB
Bytes Out from our Executive Director. I asked him about it and he says
he did NOT send much of anything yesterday. What's really interesting is
that I looked at a graph in the report and saw a peak right after he
logged in - about 7 am CST - that pegged the needle at 400-500 MB out. I
dug into his laptop and did not find any spyware or viruses. Couldn't
find any rogue programs in Control Panel, his C drive, or the registry.
Startup folder looks okay. I did find an odd program in Task Manager.
Turns out it's a file sharing program installed by default with Windows
Media 11 (I found this out via whatis.com). Based on the advice I saw, I
went into Services and changed it to Disabled.
He'll be gone next Monday and Tuesday, so I will run NetMon on the
server, plus a live log query on ISA for his first logon on Wednesday to
see what is going on. It's really puzzling to us both as this just
started about 8-9 days ago.

Mike

"Steve" <newsgroup@xxxxxxxxxx> wrote in message
news:%23d0otIu$GHA.4892@xxxxxxxxxxxxxxxxxxxxxxx
Run it live instead of historically, but yes you may have to tweak the
parameters to try to pull in less data.

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:OdHNH9r$GHA.144@xxxxxxxxxxxxxxxxxxxxxxx
Didn't work quite right. Gave back more than 10,000 records. I'll ahve
to try a few things to see what might work.

"Steve" <newsgroup@xxxxxxxxxx> wrote in message
news:Oo%23rkrq$GHA.3604@xxxxxxxxxxxxxxxxxxxxxxx
Try it with that added address. I think you should include the web
proxy log as well.

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:%23h5%23Bnq$GHA.4472@xxxxxxxxxxxxxxxxxxxxxxx
Would I do that by adding to the log query?:
Client IP equals 192.168.16.2 (IP of server/internal NIC)

"Steve" <newsgroup@xxxxxxxxxx> wrote in message
news:ukNeogq$GHA.3560@xxxxxxxxxxxxxxxxxxxxxxx
That looks ok. I'm not sure how to refine it further. Since the ISP
is seeing that large traffic perhaps you need to live monitor
outgoing traffic from both internal networks and the server itself
to external to see if anything unusual is there.

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:uvhTFMq$GHA.1220@xxxxxxxxxxxxxxxxxxxxxxx
Not sure if I set it up right. The log is:
Log record type equals Firewall
Log Time Last 24 hours
Bytes sent Greater than or equal 100
Client IP equals 192.168.16.13

It returned 553 items, and all had Local Host as the Destination
Network.

Saw many (several?) instances throughout of "Unidentified IP
Traffic" listed under Protocol, and the ports were 8080 (the one I
use for the proxy server - ISA, and 1745.

How can I/should I refine the log query to better return the
results I need?

Mike

"Steve" <newsgroup@xxxxxxxxxx> wrote in message
news:Os7nlBq$GHA.3536@xxxxxxxxxxxxxxxxxxxxxxx
Can you identify what was causing that traffic from the director?
It may not be his e-mail but something else. You can use the ISA
logging to run a query for a previous time frame to include when
that 196 MB was sent from his IP address and see if there is
something that stands out there.

"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:eY0XYqp$GHA.4292@xxxxxxxxxxxxxxxxxxxxxxx
Running SBS 2003 Premium, Exchange, ISA 2004, WSUS, 2 NICs and a
router, dynamic IP from ISP, DDNS service from dyndns.org,
downloaded and am using GFI Web Monitor 30-day evaluation as of 1
Nov.
=======================
Noticed a week ago that our uploads through the ISP have spiked;
had been 10-40 MB/day, and now is up to 2 GB or more per day.
Can't figure out why, but I'm working on it. I downloaded GYI
Web Monitor to help me track individual users. It is a bit
better than ISA reports for that. Today I checked GFI and didn't
see anything remarkable, then ran a ISA report for yesterday and
saw we had 242 MB sent (Bytes Out) on the Traffic By User section
of the report. And our Executive Director had the most - 196 MB.
When I asked him about it, he said he only sent 2 emails - and
showed them to me. Should have been just a few KBs. So, I now
think we've been highjacked. Asked him to run a full scan with
his AV (Symantec Corporate Ed.), and a full scan with his SPAM
app.

I'm really not sure what I should do to try and identify the
problem. I know about NETMON, but not how to interpret the
results. I'm also worried about our security. I've got a good
password policy in-place, am running Symantec Corporate Ed. AV on
the server and feeding to the clients on each workstation. It
runs (on the server) once per week. (last scan was at 5:30 am on
the 29th - am running a full scan now.) Also have Windows
Defender running on the server once per day.

Any advice??

--
Mike Webb
Platte River Whooping Crane Maintenance Trust, Inc.
a 501 (c)(3) conservation non-profit organization





















.

Relevant Pages