Firewall Logs

Hi!,

in our company we have a Windows NT 4.0 server with SP6a, SQL Server 7.0 SP4
and Exchange Server.
We use this server to host our web site and mails

After Many years without problems, in the last 2 months i have noticed a
problem: sometimes, ASP pages returned this error: Server object error 'ASP
0177 : 800706ba' RPC Server Unavailable

Checking che Task Manager i have noticed that RPC Service was stopped (and
never wanted to restart without restarting the whole server)

The fact i installed the updates make me to exclude Sasser and C...

Than (today) we installed a Hardware Firewall

I have seen many interesting things (many pings, ftp access attempt...) and,
above all, i have seen that OUR SERVER was scanning many ports over the
internet

In particular the source was our server at port 1433 or 80 or 110

The fact i saw port 1433 makes me think about the Slammer Worm but we have
installed the updates.... and i also used the removal tool that did not find
anything...

In the end, the port scanning coming from the 80 and 110 port makes me
insane!!!

i do not know what to think now

Can someone act in a way that my server seems to make this port scanning
while, in fact, it is not?

Have you got any ideas?

Many Thanks

Paul

Luca

On 3 Jan 2005 21:04:41 +0100, "Luca" <> wrote:

>Have you got any ideas?
>
>Many Thanks
>
>Paul
#########################
I have a few ideas. Your server may have been compromised through
port 1433, which SQL uses. The first place I would look is in the
registry. HKLM, Software, Microsoft, Windows, CurrentVersion, Run
Many trojans run from there. Look at msconfig, autoexecnt.bat,
win.ini, config.sys, etc....depending on which version of windows you
are using.
donnie.

donnie

"Luca" <> confessed in news:41d9a559$:

> Hi!,
>
> in our company we have a Windows NT 4.0 server with SP6a, SQL Server 7.0
SP4
> and Exchange Server.
> We use this server to host our web site and mails
>
> After Many years without problems, in the last 2 months i have noticed a
> problem: sometimes, ASP pages returned this error: Server object error
'ASP
> 0177 : 800706ba' RPC Server Unavailable
>
> Checking che Task Manager i have noticed that RPC Service was stopped
(and
> never wanted to restart without restarting the whole server)
>
> The fact i installed the updates make me to exclude Sasser and C...
>
> Than (today) we installed a Hardware Firewall
>
> I have seen many interesting things (many pings, ftp access attempt...)
and,
> above all, i have seen that OUR SERVER was scanning many ports over the
> internet
>
> In particular the source was our server at port 1433 or 80 or 110
>
> The fact i saw port 1433 makes me think about the Slammer Worm but we
have
> installed the updates.... and i also used the removal tool that did not
find
> anything...
>
> In the end, the port scanning coming from the 80 and 110 port makes me
> insane!!!
>
> i do not know what to think now
>
> Can someone act in a way that my server seems to make this port scanning
> while, in fact, it is not?
>
> Have you got any ideas?
>
> Many Thanks
>
> Paul
>
>
>
>


Whoa! Is there really a problem?

First, how do you know your server is "scanning" the internet? Do you see
connections? Do you see SYN packets comming from port 1433 on your LAN to
other servers outside of your LAN? It is quite unusual for malware to use
the known ports for the return path.

What does netstat -an reveal?

SQL Server opens port 1433 for API access to the database. It SHOULD be
LISTENING on port 1433. More importantly, your border firewall should be
BLOCKING any connection from the internet to your LAN on 1433, unless you
wish to allow outsiders to connect directly to your SQL server. In this
case I'd be very selective about who I would let talk to port 1433--slammer
is still out there.

Likewise, Exchange Server listens on Port 110 for POP traffic, port 25 for
SMTP traffic, port 143 for IMAP connections, etc. All normal, just as IIS
listens on port 80 for web traffic. Is this what you're seeing? Then no
worries.

BTW, running SQL, IIS, and Exchange on the SAME server is never a good
idea, no matter how much capacity you have. How about your domain
controller--same box?

-- ipgrunt

IPGrunt