Re: Need help: Port 445 flood
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 09/14/04
- Next message: Shawn Corey [MSFT]: "Re: Users cannot download certificate from certsrv"
- Previous message: Steven L Umbach: "Re: Stand alone Win2003 Standard w/ AD... how to allow users to login?"
- In reply to: Ron King: "Need help: Port 445 flood"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 13 Sep 2004 18:47:34 -0500
Download some free tools from SysInternals - TCPView, Process Explorer, Autoruns, and
Filemon. Start with TCPView which should show the process and executable associated
with the port use. Process Explorer will give a lot more detail of processes if you
look in the properties of the process possibly including related services which is
helpful as many times svchost is the process or executable detected which can
represent several services. Autoruns will show much more detail what
processes/applications are initiated with computer startup. Filemon will display live
time file access. Another thing that may work is to install a personal firewall on
that server such as Sygate [free to try] and then when you boot it up after install
it will prompt you for permissions to access the network for a process which the
rouge process would probably do in short order.
If you identify a process/executeable you can search Google or the anti virus
vendor's websites for any possible info which may or may not help depending on if it
is a randomly generated name. Also if you find something contact Trend Micro with
your results for advice on what to do. Note that if you have a "root kit" infection
that it will be hidden from normal means of detection such as using built in tools
such as Task Manager to view processes. However if you scan the problem computers
processes remotely from a clean machine you should find the rouge process by
comapring to loally run process list. I am not sure if Process Explorer can detect
root kit processes but SysInternals has PsList that can scn processes remotely. ---
Steve
http://www.sysinternals.com/ntw2k/freeware/pslist.shtml
http://www.sysinternals.com/ntw2k/source/tcpview.shtml
"Ron King" <montyboy@earthlink.net> wrote in message
news:%23i1cF$ZmEHA.952@TK2MSFTNGP14.phx.gbl...
> Hi,
> We have a server that is sending packets via port 445 to random server
> addresses. Have scanned and scanned for viruses with Trend Micro SPNT 5.58
> with latest CPR virus signature and have found nothing. Have scanned with
> spy bot and ad-aware and have found nothing. We find no unneeded or
> unfamiliar processes running, or no unneeded or unfamilar entry in the run
> or run once registry. We have blocked port 445 to the outside, so these
> floods are not reaching anyone. And it has not had an adverse effect on our
> network, as of yet. But we would really like to find the cause and put a
> stop to it. Any ideas would be greatly appreciated!
>
> Thank in advance,
> Ron King
> CCSI
>
>
- Next message: Shawn Corey [MSFT]: "Re: Users cannot download certificate from certsrv"
- Previous message: Steven L Umbach: "Re: Stand alone Win2003 Standard w/ AD... how to allow users to login?"
- In reply to: Ron King: "Need help: Port 445 flood"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
