Re: WAN Link flattened
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 08/18/05
- Next message: vidro: "Re: Granting access based on user location"
- Previous message: Chuck: "local group / global group permissions problem"
- In reply to: Damon Birrell: "WAN Link flattened"
- Next in thread: Steve Duff [MVP]: "Re: WAN Link flattened"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Aug 2005 11:54:15 -0500
To add to what Roger said you could have them boot the servers into Safe
Mode with networking to see if that makes a difference and if it does then
almost certainly there is an application/service starting up on the server
that is causing that traffic. Netstat -s may also give you an idea on the
amount of traffic the server is processing. Process Explorer, Autoruns, and
Tdimon from SysInternals can also help. Tdimon lets you watch network
traffic in real time and will show local and remote ports along with owning
process and you would want to use it when other computer are shut down to
minimize traffic. With Process Explorer you should be suspicious of any
unexplained process particularly one that maps to an executable that does
not have a publisher name associated with it. However that will not always
mean a process is malicious but usually they are.
http://www.sysinternals.com/Utilities/TdiMon.html --- TDIMon and link to
SysInternals
Having said all that the firewall may not be the real problem. A better
firewall could certainly improve things by reusing to let malware access the
internet if the firewall has a default "block all" outbound rule with
authorized exceptions only allowed but the real problem is probably lack of
security best practices such as using quality antivirus program that is kept
up to date and scans all emails/downloads, keeping current with critical
updates at Windows Updates, enforcing the use of strong passwords for all
users, and judicious use of any administrator accounts including not being
logged on as an administrator while browsing the internet and checking
email. I am also surprised at the number of users that browse the internet
and check email on their servers!! See the link below that can help them in
securing their network to help minimize future problems otherwise they may
have the same situation in a short time again. Also explain to them that
malware does not only slow down their internet connection but it can lead to
theft and modification or destruction of data. --- Steve
http://www.microsoft.com/smallbusiness/support/computer-security.mspx ---
Small business security guidance from Microsoft.
"Damon Birrell" <sophdamon.nospam@adsl.on.net> wrote in message
news:Ob7TGw9oFHA.1088@TK2MSFTNGP14.phx.gbl...
> Howdy
>
> I have an ex-client running W2K3 SBS which is sitting in a small network
> behind a NAT router on an ADSL link. The router is very basic and for a
> range of reasons they haven't upgraded to a decent firewall solution.
> There are only a few ports open, 5800, 5900, 1723 and 443. It is not fully
> patched and not on SBS 2K3 SP1 as yet.
>
> They have asked me to help out because their Internet link is choked.
> Something on their LAN is generating a lot of traffic. I isolated it to
> their (only) server as they are a tiny office and we could shut down all
> workstations and the strange traffic continued. I performed a netstat -ano
> to see the connnections on the server and there was nothing overly
> untoward that I could see. Has anyone got any suggestions as to what to
> do? I have a guy going on site tomorrow to do an Ethereal packet capture
> and some virus scanning etc but I wouldnt mind some advice on what else to
> check (beyond the obvious advice of upgrading the router)... Something
> similar happened to them about a year ago and the ISP told them it
> appeared to be peer sharing traffic but there was nothing to be found. I
> was worried about root kits but my knowledge on them is very limited and
> the scanners are few and far between. I have used the F-Secure beta ages
> ago and the SysInternals scanner but the Sysinternals one confuses me....
>
> Any suggestions?
>
> Regards,
> Damo
>
> Active Connections
>
> Proto Local Address Foreign Address State PID
> TCP 0.0.0.0:25 0.0.0.0:0 LISTENING 1812
> TCP 0.0.0.0:42 0.0.0.0:0 LISTENING 3332
> TCP 0.0.0.0:53 0.0.0.0:0 LISTENING 1688
> TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 2096
> TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 564
> TCP 0.0.0.0:110 0.0.0.0:0 LISTENING 1812
> TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 712
> TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 564
> TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 2096
> TCP 0.0.0.0:444 0.0.0.0:0 LISTENING 2096
> TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
> TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 564
> TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 712
> TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 564
> TCP 0.0.0.0:691 0.0.0.0:0 LISTENING 1812
> TCP 0.0.0.0:995 0.0.0.0:0 LISTENING 1812
> TCP 0.0.0.0:1723 0.0.0.0:0 LISTENING 4
> TCP 0.0.0.0:2301 0.0.0.0:0 LISTENING 1584
> TCP 0.0.0.0:2381 0.0.0.0:0 LISTENING 1584
> TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 564
> TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 564
> TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 764
> TCP 0.0.0.0:6001 0.0.0.0:0 LISTENING 4244
> TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING 316
> TCP 0.0.0.0:6004 0.0.0.0:0 LISTENING 564
> TCP 0.0.0.0:6082 0.0.0.0:0 LISTENING 2096
> TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING 2096
> TCP 0.0.0.0:8082 0.0.0.0:0 LISTENING 2096
> TCP 0.0.0.0:12174 0.0.0.0:0 LISTENING 3924
> TCP 0.0.0.0:28784 0.0.0.0:0 LISTENING 564
> TCP 0.0.0.0:28785 0.0.0.0:0 LISTENING 844
> TCP 0.0.0.0:28787 0.0.0.0:0 LISTENING 564
> TCP 0.0.0.0:28828 0.0.0.0:0 LISTENING 1688
> TCP 0.0.0.0:28842 0.0.0.0:0 LISTENING 1812
> TCP 0.0.0.0:28843 0.0.0.0:0 LISTENING 1812
> TCP 0.0.0.0:28858 0.0.0.0:0 LISTENING 264
> TCP 0.0.0.0:28880 0.0.0.0:0 LISTENING 1812
> TCP 0.0.0.0:28881 0.0.0.0:0 LISTENING 1812
> TCP 0.0.0.0:28887 0.0.0.0:0 LISTENING 1812
> TCP 0.0.0.0:28922 0.0.0.0:0 LISTENING 3332
> TCP 0.0.0.0:28923 0.0.0.0:0 LISTENING 316
> TCP 0.0.0.0:28986 0.0.0.0:0 LISTENING 4396
> TCP 0.0.0.0:28991 0.0.0.0:0 LISTENING 4244
> TCP 0.0.0.0:36895 0.0.0.0:0 LISTENING 1100
> TCP 0.0.0.0:38292 0.0.0.0:0 LISTENING 2060
> TCP 0.0.0.0:49400 0.0.0.0:0 LISTENING 2836
> TCP 0.0.0.0:49401 0.0.0.0:0 LISTENING 4460
> TCP 127.0.0.1:389 127.0.0.1:1757 ESTABLISHED 564
> TCP 127.0.0.1:445 127.0.0.1:10275 ESTABLISHED 4
> TCP 127.0.0.1:1757 127.0.0.1:389 ESTABLISHED 1688
> TCP 127.0.0.1:10275 127.0.0.1:445 ESTABLISHED 4
> TCP 127.0.0.1:28918 0.0.0.0:0 LISTENING 3924
> TCP 192.168.0.3:135 192.168.0.2:1343 ESTABLISHED 712
> TCP 192.168.0.3:135 192.168.0.3:10326 ESTABLISHED 712
> TCP 192.168.0.3:135 192.168.0.3:10328 ESTABLISHED 712
> TCP 192.168.0.3:135 192.168.0.50:1606 ESTABLISHED 712
> TCP 192.168.0.3:135 192.168.0.51:1570 ESTABLISHED 712
> TCP 192.168.0.3:135 192.168.0.53:1674 ESTABLISHED 712
> TCP 192.168.0.3:135 192.168.0.57:1592 ESTABLISHED 712
> TCP 192.168.0.3:139 0.0.0.0:0 LISTENING 4
> TCP 192.168.0.3:389 192.168.0.3:1628 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:1629 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:1630 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:1631 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:1632 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:1633 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:1634 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:1635 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:1636 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:1637 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:1638 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:1642 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:1690 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:1691 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:1692 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:1730 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:1752 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:1799 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:1808 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:1855 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:4979 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:6760 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:9787 ESTABLISHED 564
> TCP 192.168.0.3:389 192.168.0.3:10054 FIN_WAIT_2 564
> TCP 192.168.0.3:389 192.168.0.3:10330 ESTABLISHED 564
> TCP 192.168.0.3:691 192.168.0.3:10547 ESTABLISHED 1812
> TCP 192.168.0.3:691 192.168.0.3:28890 ESTABLISHED 1812
> TCP 192.168.0.3:691 192.168.0.3:28985 ESTABLISHED 1812
> TCP 192.168.0.3:691 192.168.0.3:28989 ESTABLISHED 1812
> TCP 192.168.0.3:1628 192.168.0.3:389 ESTABLISHED 1812
> TCP 192.168.0.3:1629 192.168.0.3:389 ESTABLISHED 1812
> TCP 192.168.0.3:1630 192.168.0.3:389 ESTABLISHED 1812
> TCP 192.168.0.3:1631 192.168.0.3:389 ESTABLISHED 1812
> TCP 192.168.0.3:1632 192.168.0.3:389 ESTABLISHED 1812
> TCP 192.168.0.3:1633 192.168.0.3:389 ESTABLISHED 316
> TCP 192.168.0.3:1634 192.168.0.3:389 ESTABLISHED 316
> TCP 192.168.0.3:1635 192.168.0.3:389 ESTABLISHED 316
> TCP 192.168.0.3:1636 192.168.0.3:389 ESTABLISHED 316
> TCP 192.168.0.3:1637 192.168.0.3:389 ESTABLISHED 316
> TCP 192.168.0.3:1638 192.168.0.3:389 ESTABLISHED 316
> TCP 192.168.0.3:1639 192.168.0.3:3268 ESTABLISHED 316
> TCP 192.168.0.3:1640 192.168.0.3:3268 ESTABLISHED 1812
> TCP 192.168.0.3:1641 192.168.0.3:3268 ESTABLISHED 4396
> TCP 192.168.0.3:1642 192.168.0.3:389 ESTABLISHED 316
> TCP 192.168.0.3:1644 192.168.0.3:3268 ESTABLISHED 4244
> TCP 192.168.0.3:1645 192.168.0.3:3268 ESTABLISHED 3932
> TCP 192.168.0.3:1690 192.168.0.3:389 ESTABLISHED 4244
> TCP 192.168.0.3:1691 192.168.0.3:389 ESTABLISHED 316
> TCP 192.168.0.3:1692 192.168.0.3:389 ESTABLISHED 316
> TCP 192.168.0.3:1694 192.168.0.3:389 CLOSE_WAIT 316
> TCP 192.168.0.3:1730 192.168.0.3:389 ESTABLISHED 4396
> TCP 192.168.0.3:1752 192.168.0.3:389 ESTABLISHED 316
> TCP 192.168.0.3:1799 192.168.0.3:389 ESTABLISHED 264
> TCP 192.168.0.3:1808 192.168.0.3:389 ESTABLISHED 316
> TCP 192.168.0.3:1855 192.168.0.3:389 ESTABLISHED 3932
> TCP 192.168.0.3:2104 192.168.0.3:389 CLOSE_WAIT 316
> TCP 192.168.0.3:2105 192.168.0.3:3268 CLOSE_WAIT 316
> TCP 192.168.0.3:2335 192.168.0.3:389 CLOSE_WAIT 316
> TCP 192.168.0.3:3268 192.168.0.3:1639 ESTABLISHED 564
> TCP 192.168.0.3:3268 192.168.0.3:1640 ESTABLISHED 564
> TCP 192.168.0.3:3268 192.168.0.3:1641 ESTABLISHED 564
> TCP 192.168.0.3:3268 192.168.0.3:1644 ESTABLISHED 564
> TCP 192.168.0.3:3268 192.168.0.3:1645 ESTABLISHED 564
> TCP 192.168.0.3:3268 192.168.0.3:10187 ESTABLISHED 564
> TCP 192.168.0.3:3920 192.168.0.3:389 CLOSE_WAIT 4244
> TCP 192.168.0.3:4182 192.168.0.3:389 CLOSE_WAIT 4600
> TCP 192.168.0.3:4979 192.168.0.3:389 ESTABLISHED 4244
> TCP 192.168.0.3:6760 192.168.0.3:389 ESTABLISHED 1812
> TCP 192.168.0.3:9787 192.168.0.3:389 ESTABLISHED 316
> TCP 192.168.0.3:10054 192.168.0.3:389 CLOSE_WAIT 4600
> TCP 192.168.0.3:10112 192.168.0.3:28784 ESTABLISHED 316
> TCP 192.168.0.3:10187 192.168.0.3:3268 ESTABLISHED 1812
> TCP 192.168.0.3:10298 192.168.0.3:135 TIME_WAIT 0
> TCP 192.168.0.3:10299 192.168.0.3:28784 TIME_WAIT 0
> TCP 192.168.0.3:10326 192.168.0.3:135 ESTABLISHED 316
> TCP 192.168.0.3:10328 192.168.0.3:135 ESTABLISHED 316
> TCP 192.168.0.3:10329 192.168.0.3:28784 ESTABLISHED 316
> TCP 192.168.0.3:10330 192.168.0.3:389 ESTABLISHED 316
> TCP 192.168.0.3:10383 68.142.202.12:25 SYN_SENT 1812
> TCP 192.168.0.3:10547 192.168.0.3:691 ESTABLISHED 3932
> TCP 192.168.0.3:11602 192.168.0.3:389 CLOSE_WAIT 316
> TCP 192.168.0.3:20291 206.204.212.229:2848 ESTABLISHED 3664
> TCP 192.168.0.3:28784 192.168.0.2:1344 ESTABLISHED 564
> TCP 192.168.0.3:28784 192.168.0.3:10112 ESTABLISHED 564
> TCP 192.168.0.3:28784 192.168.0.3:10329 ESTABLISHED 564
> TCP 192.168.0.3:28784 192.168.0.3:28871 ESTABLISHED 564
> TCP 192.168.0.3:28784 192.168.0.3:28872 ESTABLISHED 564
> TCP 192.168.0.3:28784 192.168.0.3:29030 ESTABLISHED 564
> TCP 192.168.0.3:28784 192.168.0.3:29423 ESTABLISHED 564
> TCP 192.168.0.3:28784 192.168.0.50:1607 ESTABLISHED 564
> TCP 192.168.0.3:28784 192.168.0.51:1571 ESTABLISHED 564
> TCP 192.168.0.3:28784 192.168.0.53:1675 ESTABLISHED 564
> TCP 192.168.0.3:28784 192.168.0.57:1593 ESTABLISHED 564
> TCP 192.168.0.3:28871 192.168.0.3:28784 ESTABLISHED 264
> TCP 192.168.0.3:28872 192.168.0.3:28784 ESTABLISHED 264
> TCP 192.168.0.3:28890 192.168.0.3:691 ESTABLISHED 1812
> TCP 192.168.0.3:28958 192.168.0.3:389 CLOSE_WAIT 316
> TCP 192.168.0.3:28963 192.168.0.3:389 CLOSE_WAIT 316
> TCP 192.168.0.3:28965 192.168.0.3:3268 CLOSE_WAIT 316
> TCP 192.168.0.3:28985 192.168.0.3:691 ESTABLISHED 4396
> TCP 192.168.0.3:28989 192.168.0.3:691 ESTABLISHED 4244
> TCP 192.168.0.3:29030 192.168.0.3:28784 ESTABLISHED 316
> TCP 192.168.0.3:29254 192.168.0.3:389 CLOSE_WAIT 844
> TCP 192.168.0.3:29423 192.168.0.3:28784 ESTABLISHED 564
> TCP 192.168.0.3:33294 192.168.0.3:3268 CLOSE_WAIT 316
> TCP 192.168.0.3:38998 192.168.0.3:389 CLOSE_WAIT 844
> TCP 192.168.0.3:54107 192.168.0.3:389 CLOSE_WAIT 4600
> UDP 0.0.0.0:42 *:* 3332
> UDP 0.0.0.0:135 *:* 712
> UDP 0.0.0.0:161 *:* 2596
> UDP 0.0.0.0:162 *:* 2616
> UDP 0.0.0.0:445 *:* 4
> UDP 0.0.0.0:500 *:* 564
> UDP 0.0.0.0:1701 *:* 4
> UDP 0.0.0.0:2967 *:* 3124
> UDP 0.0.0.0:3002 *:* 1140
> UDP 0.0.0.0:3456 *:* 1812
> UDP 0.0.0.0:3457 *:* 1812
> UDP 0.0.0.0:4500 *:* 564
> UDP 0.0.0.0:11698 *:* 2248
> UDP 0.0.0.0:28795 *:* 960
> UDP 0.0.0.0:28823 *:* 1688
> UDP 0.0.0.0:28824 *:* 1688
> UDP 0.0.0.0:28826 *:* 2020
> UDP 0.0.0.0:28827 *:* 2020
> UDP 0.0.0.0:28844 *:* 1812
> UDP 0.0.0.0:28862 *:* 1424
> UDP 0.0.0.0:28868 *:* 264
> UDP 0.0.0.0:28888 *:* 1812
> UDP 0.0.0.0:28892 *:* 1636
> UDP 0.0.0.0:28897 *:* 3064
> UDP 0.0.0.0:28899 *:* 3176
> UDP 0.0.0.0:28908 *:* 3144
> UDP 0.0.0.0:28910 *:* 2252
> UDP 0.0.0.0:28924 *:* 316
> UDP 0.0.0.0:28925 *:* 316
> UDP 0.0.0.0:28935 *:* 3664
> UDP 0.0.0.0:28971 *:* 4244
> UDP 0.0.0.0:28976 *:* 3932
> UDP 0.0.0.0:28982 *:* 4396
> UDP 0.0.0.0:28987 *:* 4396
> UDP 0.0.0.0:28992 *:* 4244
> UDP 0.0.0.0:29011 *:* 508
> UDP 0.0.0.0:29018 *:* 4352
> UDP 0.0.0.0:29031 *:* 316
> UDP 0.0.0.0:29035 *:* 1624
> UDP 0.0.0.0:29192 *:* 2832
> UDP 0.0.0.0:29253 *:* 844
> UDP 0.0.0.0:29469 *:* 1868
> UDP 0.0.0.0:34129 *:* 960
> UDP 0.0.0.0:34130 *:* 960
> UDP 0.0.0.0:34131 *:* 960
> UDP 0.0.0.0:34136 *:* 960
> UDP 0.0.0.0:34377 *:* 960
> UDP 0.0.0.0:36954 *:* 1864
> UDP 0.0.0.0:38037 *:* 2060
> UDP 0.0.0.0:38293 *:* 1828
> UDP 0.0.0.0:54089 *:* 4600
> UDP 0.0.0.0:55284 *:* 960
> UDP 0.0.0.0:55286 *:* 960
> UDP 0.0.0.0:55288 *:* 960
> UDP 0.0.0.0:55402 *:* 7004
> UDP 127.0.0.1:53 *:* 1688
> UDP 127.0.0.1:123 *:* 844
> UDP 127.0.0.1:3456 *:* 1812
> UDP 127.0.0.1:3457 *:* 1812
> UDP 127.0.0.1:28822 *:* 1688
> UDP 127.0.0.1:28921 *:* 3332
> UDP 127.0.0.1:29022 *:* 844
> UDP 127.0.0.1:29023 *:* 844
> UDP 192.168.0.3:53 *:* 1688
> UDP 192.168.0.3:88 *:* 564
> UDP 192.168.0.3:123 *:* 844
> UDP 192.168.0.3:137 *:* 4
> UDP 192.168.0.3:138 *:* 4
> UDP 192.168.0.3:389 *:* 564
> UDP 192.168.0.3:464 *:* 564
>
>
>
- Next message: vidro: "Re: Granting access based on user location"
- Previous message: Chuck: "local group / global group permissions problem"
- In reply to: Damon Birrell: "WAN Link flattened"
- Next in thread: Steve Duff [MVP]: "Re: WAN Link flattened"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
