Re: Many Connections from each Web Client



On May 8, 8:26 pm, Baboon <bab...@xxxxxxxxxxxxxx> wrote:
I was asked to take a look at an IIS Website running on Windows 2000 Server
because of reports of slowness. The site is for a small research group that
is part of the University I work for, and there typically aren't a lot of
clients connected at one time, so the server should be able to handle the
load.

When I run netstat -a I see that each client has many connections from
random ports to HTTP on the server (maybe 50 or more from each client). That
doesn't seem normal to me, but I am not sure. Also, when I run fport, I see
that there are many random ports being listening upon by inetsrv.exe, which
also seems odd to me. The Webmaster uses ColdFusion to configure the
content, so that may play a role as well.

Can anyone confirm whether or not this seems normal? The server is running
SP 4 and appears to be up to date with patches, but IIS apparently was never
locked down, I.E. - No urlscan, IIS Lockdown, and with a default installation.

Thanks.


I am not aware of any IIS/Windows file called inetsrv.exe.

Closest name for IIS is inetinfo.exe - there should only be one
instance, and it should listen to as many ports as there are unique
ports in IP:Port bindings in IIS configuration.

I think this server has been hacked. W2KSP4 is still vulnerable to
several worms unless the server has all security patches.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

.