Re: W2kserver/SQLserver generating mass Netwrok load

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 02/25/03 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Tue, 25 Feb 2003 08:57:23 -0500

You'd first want to look at what ports are being used in the packets. A
firewall's logs, router or sniffer should show you that. The SQL Slammer
worm uses packets addressed to UDP 1434. IIS worms like Nimda and Code Red
are likely to address packets to TCP 80. Telling us more information about
the packets [source and dest port, protocol TCP or UDP, packet contents,
etc] would be helpful.

Information on how to tell if you are infected with these worms can be found
at www.cert.org [recommended], www.microsoft.com, www.sarc.com, etc. The
cert site and others probably also show exactly what you'd see in a sniffer
if this was SQL Slammer. Note that some of those worms, notably SQL
Slammer, probably won't be detected by antivirus. You could also do
CTRL-ALT-DEL on the server to see whether IIS or SQL or another process
entirely is taking a large percentage of CPU time.

Besides that, try these things:

http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden

"Christiaan" <c.spaan@brunel.nl> wrote in message
news:01a901c2dca5$27c12880$2f01280a@phx.gbl...
> Hello,
>
> W2kserver with SP3, SQLserver2000, IIS 5 with latest SP is
> installed. Also I implemented Hisecweb.inf and IISlockdown
> tool. Only the HTTP and SQL ports are available. When I
> discovered, while having serious network problems, that
> this server is connecting to apprx. 600 various IP's, it
> is using all the network bandwith. Pinging the
> gateway/router from a different server on the same
> segment, it's causing a major timeout. Netstat doesn't
> give me any unusual connections. When using a sniffer, I
> can see the W2k/SQL server is very busy polling al these
> IP's. The IP adrresses are various, the're all outside the
> network and directly from the Internet.
> A simple though would bring me to a Trojan or an attacker
> from outside. Is there a tool available from which I can
> see what is causing this 'heavy traffic' except from the
> software I mentioned above?
> Many thanks so far,
> Christiaan.
>

Relevant Pages

  • Re: fun with posiden rootkit
    ... > I had one incident that I investigated for a client recently. ... file, you can show a direct link between an intruder, the sniffer, ... send fake data packets with random garbage on every ACK packet - ...
    (Incidents)
  • Re: Am I doing this right?
    ... SQL Stored Proc gets the inserted data and places it in other table. ... Since App receives thousands of packets, as the DB gets larger, the inserts ... Queue (use enqueue. ... though the enqueue showed fine. ...
    (microsoft.public.dotnet.languages.vb)
  • Re: TDS vs. TCP
    ... I start capturing the network traffic between SQL ... Server and the client. ... I don't see any TDS packets but the communication between SQL ... stand-a-lone server and the client, ...
    (microsoft.public.sqlserver.clustering)
  • RE: WLAN
    ... someone using that same sniffer can crack the WEP after about 400,000 ... WEP every 200,000 packets or so. ... registered MAC addresses or WLAN cards to join the network. ...
    (Security-Basics)
  • Re: tcp socket problem
    ... What does "goes dead" mean in this case? ... the server, or both. ... packets into multiple packets, or to aggregate multiple packets into a ... and using a sniffer may help too. ...
    (comp.lang.python)