Results 1 to 5 of 5

Thread: Have you seen these symptoms?

  1. #1
    Junior Member
    Join Date
    Apr 2003
    Posts
    18

    Have you seen these symptoms?

    First some background.
    Win2k server that was infected with the tk worm. I was able to remove the bot fairly easily, followed by speach no. 106 regarding the importance of virus protection and keeping your system patched.

    What I have now after running netstat is a very large group of sequential ports (1024,1025,1026,1027.......etc) on the server connected to the ldap port on the same server.
    Its making (estimate) a hundred or more connections to itself. Rebooting doesn't clear them.
    It is running Exchange 2000, dns,dhcp and wins.

    I have researched google, microsoft and any number of hack/crack sites looking for information on wether this is a bug or another symptom of a hacked system. I am tempted to err on the side of caution and recomend we rebuild his server, but I thought maybe someone here would have an idea or point me in the right direction.
    Thanks in advance for any help you could provide.
    Regards,
    Your Ole Sarge

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Sarge: Greetz from another old Sarge......

    Though you didn't say it I'm guessing that your Exchange server is also an AD server for the domain. When I netstat my Exchange 2000 server it shows numerous ldap connections to one of my AD controllers. My Exchange box is not an AD controller thus it is getting it's domain info from elsewhere.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Junior Member
    Join Date
    Apr 2003
    Posts
    18
    Your right it is his AD server. Makes me wonder if its normal behavior. I will have to check all my customers servers to see if that's a normal condition. It seems a bit much to me for a single server environment but who knows. Thanks for the reply.

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I think you'll find it's normal..... Exchange is so tied into AD that it is using multiple threads for the busy moments and you are seeing the results of that. The only apparent difference between my server and your is the source ports.... Mine are higher than yours but that may be a product of yours being it's own AD server and allocating them right at start-up rather than having to wait a while until all the network connections have been made.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Junior Member
    Join Date
    Apr 2003
    Posts
    18
    Detroit huh? Tell the Nuge I said Hi. Thanks for the help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •