June 17th, 2003, 03:26 PM
Have you seen these symptoms?
First some background.
Win2k server that was infected with the tk worm. I was able to remove the bot fairly easily, followed by speach no. 106 regarding the importance of virus protection and keeping your system patched.
What I have now after running netstat is a very large group of sequential ports (1024,1025,1026,1027.......etc) on the server connected to the ldap port on the same server.
Its making (estimate) a hundred or more connections to itself. Rebooting doesn't clear them.
It is running Exchange 2000, dns,dhcp and wins.
I have researched google, microsoft and any number of hack/crack sites looking for information on wether this is a bug or another symptom of a hacked system. I am tempted to err on the side of caution and recomend we rebuild his server, but I thought maybe someone here would have an idea or point me in the right direction.
Thanks in advance for any help you could provide.
Your Ole Sarge