Re: Unauthorized IP address attached


"Mark J. McGinty" <mmcginty@xxxxxxxxxxxxxxx> wrote in message
news:eHHrs4W$HHA.5980@xxxxxxxxxxxxxxxxxxxxxxx

"Rick K" <RickK@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:08E4D293-FFEA-4550-B3C2-EB7FB711D1DF@xxxxxxxxxxxxxxxx
System: Server 2003 r 2, terminal services, SQL server, Citrix
Presentation
server 4.5
Issue: An unknown IP address becomes attached to the server (class A, out
of
a Canadian registar) on restart or even if the restart is performed w/o
my
card enabled, or even if I change my static IP address, this address
keeps
showing back up. It appears to be attempting to logon to the SQL server
portion of the system (failed (audit) logons to SQL in event
viewer--address
also shows up in netstat -aon as listening)
It appears that this connection attempt has my address "mapped". A change
of
my IP static address, placing my system behind a firewall has made no
difference.
Q: Could this bandit have used the server name to "map". How can I block
this inbound connection by IP address?? (IPspec?).
Any thoughts will help.

Wait a minute, if your network card is disabled, netstat produces no
output.

Also, I assume you're saying that the unwanted IP shows up in the Local
Address column, because if it were in the Foreign Address column, it's
status would not be listening -- listening means waiting for a connection,
not that one has been established.

My guess is that you either have a second network card configured for that
address, or some sort of software creating a virtual adapter (like the
ones VPN connections create.) Or perhaps TCP/IP is configured for
multiple addresses and you're only changing the first one? (Click the
Advanced button to see them all.)

Otherwise, something about your description of this doesn't add.

Meant to add, why don't you locate the process, using the PID reported by
netstat? Also look to see if that same process has any other connections
open. Maybe there is some malware installed, or maybe it can be easily
explained; the process responsible should be a good indicator.

-Mark


-Mark




.