Re: Unauthorized IP address attached

What you're seeing is almost certainly some sort of malware. Other things
to look at:

IPCONFIG /ALL (looking for unexpected interfaces/IPs)
ROUTE PRINT (looking for unexpected static routes)
TRACERT to the IP in question

Also check out TCPView from the sysinternals.com site. (It's a graphical
netstat, that updates in near real-time, with sortable columns and more.)

-Mark


"Rick K" <RickK@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D1E2C0BC-6587-43F8-81E0-CA1E86008A06@xxxxxxxxxxxxxxxx
I disable the card, reboot and then re-enable the card. The address
reconnects and is shows that is attempting to establish connections to
MANY
ports (probably 25+) in its' attempt to get into the system. I'll check
the
PID when I get te server back up.
Thanks

"Mark J. McGinty" wrote:


"Mark J. McGinty" <mmcginty@xxxxxxxxxxxxxxx> wrote in message
news:eHHrs4W$HHA.5980@xxxxxxxxxxxxxxxxxxxxxxx

"Rick K" <RickK@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:08E4D293-FFEA-4550-B3C2-EB7FB711D1DF@xxxxxxxxxxxxxxxx
System: Server 2003 r 2, terminal services, SQL server, Citrix
Presentation
server 4.5
Issue: An unknown IP address becomes attached to the server (class A,
out
of
a Canadian registar) on restart or even if the restart is performed
w/o
my
card enabled, or even if I change my static IP address, this address
keeps
showing back up. It appears to be attempting to logon to the SQL
server
portion of the system (failed (audit) logons to SQL in event
viewer--address
also shows up in netstat -aon as listening)
It appears that this connection attempt has my address "mapped". A
change
of
my IP static address, placing my system behind a firewall has made no
difference.
Q: Could this bandit have used the server name to "map". How can I
block
this inbound connection by IP address?? (IPspec?).
Any thoughts will help.

Wait a minute, if your network card is disabled, netstat produces no
output.

Also, I assume you're saying that the unwanted IP shows up in the Local
Address column, because if it were in the Foreign Address column, it's
status would not be listening -- listening means waiting for a
connection,
not that one has been established.

My guess is that you either have a second network card configured for
that
address, or some sort of software creating a virtual adapter (like the
ones VPN connections create.) Or perhaps TCP/IP is configured for
multiple addresses and you're only changing the first one? (Click the
Advanced button to see them all.)

Otherwise, something about your description of this doesn't add.

Meant to add, why don't you locate the process, using the PID reported by
netstat? Also look to see if that same process has any other connections
open. Maybe there is some malware installed, or maybe it can be easily
explained; the process responsible should be a good indicator.

-Mark


-Mark







.