Re: Web server crashed, now is trying to contact an IP by port 80 every morning.

From: lsi (stuart@cyberdelix.net)
Date: 02/25/03

  • Next message: Dan Harpold: "RE: Web server crashed, now is trying to contact an IP by port 80 every morning."
    From: "lsi" <stuart@cyberdelix.net>
    To: "Dan Harpold" <danharp@SeaburyTech.com>
    Date: Tue, 25 Feb 2003 00:30:29 -0000
    
    

    Hi Dan,

    I'd monitor which process initiates the transfer by using a program such as FPORT.

    http://www.mamma.com/Mamma?timeout=4&lang=1&affiliate_id=9282&query=fport=4 data=05B4 <br> &nbsp;&nbsp;&nbsp;&nbsp;&Then you can terminate the process and delete the executable, etc.

    Then you can terminate the process and delete the executable, etc.

    If you can't terminate the process because it has SYSTEM privileges, start the Task Manager with an AT
    command (set it for two minutes into the future). Task Manager will then also be running as SYSTEM, and
    allow you to kill the process.

    Cheers for now.
    Stuart

    On 23 Feb 2003 at 21:20, Dan Harpold wrote:

    Subject: Web server crashed, now is trying to contact an IP by port 80 every morning.
    Date sent: Sun, 23 Feb 2003 21:20:01 -0600
    From: "Dan Harpold" <danharp@SeaburyTech.com>
    To: <incidents@seacurityfocus.com>

    > My web server crashed the other day. Got a blue screen and on reboot
    > NTLDR was missing. I reinstalled and reformatted the drive. Simple W2K
    > Server with IIS 5 and current service packs. It sits in a DMZ.
    >
    > Now, each morning (only 2 days so far) at 12:00:45 AM, the machine is
    > trying to contact an outside server via HTTP. The external request,
    > which is being blocked by my firewall, is trying to go to 64.0.96.14. It
    > logs about fifteen attempts over the next ten seconds, then doesn't
    > appear until the next morning.
    >
    > Any thoughts?
    >
    > Dan
    >
    >
    > ----------------------------------------------------------------------------
    >
    > <Pre>Lose another weekend managing your IDS?
    > Take back your personal time.
    > 15-day free trial of StillSecure Border Guard.</Pre>
    > http://www.securityfocus.com/stillsecure
    >

    -- 
    Stuart Udall
    stuart@cyberdelix.net - http://www.cyberdelix.net/
    ..revolution through evolution
    want to make some cash? check out http://cyberdelix.net/affiliates.htm
    ----------------------------------------------------------------------------
    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
    


    Relevant Pages

    • Re: Allow non-Administrator to view and terminate processes for all users
      ... that is a classic client server implementation. ... tight CPU loop - no page faults, no I/O, no database interaction, no network ... track down and terminate the "bad" processes. ...
      (microsoft.public.windows.server.security)
    • Re: PDA as "X terminal"
      ... obviously not using XDMCP, etc. -- OTOH, that would make life ... I've never used "terminal services" (there is a TS client built ... It pushes most of the work onto the application server; ... any connected clients will typically terminate. ...
      (comp.arch.embedded)
    • Re: Servers automatically getting renamed!!!
      ... "Old programmers never die. ... They just terminate and stay resident." ... One job to launch this command each time the server starts: ...
      (microsoft.public.win2000.general)
    • Re: WS08 sessions disconnect after 10 minutes
      ... I write Windows Server). ... Turn on "Keep Alives" ... an idle connection to be probed every so often just to ... therefore the network device will not attempt to terminate ...
      (microsoft.public.windows.terminal_services)
    • Re: outlook hangs in terminal server session
      ... Have you found a resolution to this issue yet? ... > Chris Smith wrote: ... >> Server session? ... all I've needed to do is terminate the ...
      (microsoft.public.outlook)