RE: IIS Stops serving randomly

From: Roopesh K K (anonymous_at_discussions.microsoft.com)
Date: 05/15/04


Date: Fri, 14 May 2004 15:56:07 -0700


***************
Check if the SSL sites works after changing port (change the port to 444) and try to access from a system in the same network, This may not work over a Internet connection because 444 may be blocked in most of the firewalls. So try accessing the site from same network with the alternate port

If it works on different port

***************
Stop IIS and try to telnet to the server with port 443. (If it connects to the server another application is listening on that port)
If you don not have an application which you have configured to run on 443 port it could be a malicious application listening on the port 443

***************
Run fport or TCPView to identify the applications/services which listens at port 443
Fport can be downloaded from http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm
TCPview can be downloaded from http://www.sysinternals.com

***************
Check in Services for any suspicious services (Serv U, Fire Daemon etc.)

***************
Run house call (online virus scanning from any of the anti virus vendor) on your affected server
http://housecall.trendmicro.com/
or
http://us.mcafee.com/root/mfs/default.asp?cid=9914
look for any malicious application or Trojan in the system (ServU, TROJ_SERVI.A etc.)

***************
Search for "443" in registry. Check If you can find this number associated with any other application or services.

For example:

"hklm\system\currentcontrolset\services\sysmon\parameters\appparameters = 443"; This indicates possibility of a service which listens at 443 port which may affect SSL sites.

If you detect another service or Application listens at port 443 which affects IIS. you may confirm that the system has been affected with that malicious application.

Thanks & Regards
Roopesh



Relevant Pages

  • RE: Seriuos Problem with Component services and MDTC
    ... the red sign disappeared ans IIS starts in MMC. ... Server application error "The server has encountered an error while loading ... > listening on port 443. ...
    (microsoft.public.inetserver.iis)
  • Re: RealVNC
    ... Default listening port for RealVNC server that runs on the machine on which ... Then there is default Java listening port on port 5800 on the client machine ...
    (microsoft.public.windows.server.sbs)
  • Re: trying to restrict postfix use of port [was trying to restrict exim smtp to specific IP]
    ... you do need to open port 25 "locally" and bind ... But opening a port "locally" does not mean your SMTP server can be used ... You need to be notified by e-mail (remote account) about crontab tasks. ... So, yes, the MTA is listening in that port and I cannot find any ...
    (Debian-User)
  • Re: Question on IIS servers and reverse lookup ... found answer
    ... netbios over TCP/IP on the interface your web server uses to talk to the ... There's a huge list of steps to take to secure an IIS ... logs) in addition to the low-level packet capture. ... packet is being sent to that UDP:137 port. ...
    (Focus-Microsoft)
  • Re: RealVNC
    ... I use VNC behind server ... Default listening port for RealVNC server that runs on the machine ... And then "other"party - not the client can run RealVNC Viewer in ...
    (microsoft.public.windows.server.sbs)