August 17th, 2003, 11:21 PM
EMERGENCY: Windows Xp attacking Windows 2000 Server?
I know you are probably not fond of Newbies starting a thread saying they have an emergency, but I need some help ASAP.
I am in a serouisly bad possetion, I have been choosen to migrate from a NT server to Windows 2000 server. The Windows 2000 server is fully patched, and has Black Ic 3.6, and Symantec Anti-Virus 8.01
I have a large portion of the Department of Windows XP Machines, when I connect to the Windows 2000 server, I can log on fine, and I can see all of my netowrk drives, and edit them normally.
BUT on my log, on the Windows 2000 server, on the black ice log it is saying that my Windows XP Machine are scan ports 80 and 443. This is highlighted as a major problem (within the black ice program). All the compurters in my department are in the allowed ip range on black ice. (including the Xp machines that are 'scanning' these ports.
My main question is how can I make it so the Windows Xp machines stop trying to search for open ports on port 80
and 443, and also is there a service that might be doing this?
Sorry for the urgency, and I know you miight get this alot but I am probably going to lose my job if I can not figure
this out in 3 days, and this was my last resort :-/ (I called my IT department and they gave me no help, they said
it was on me.
Also on a side note:
oes anyone know which ports the lsass.exe (LSA Shell) program uses to connect with the server (w2kserver)?
Another note: I have conacted my IT head department and they said it was all up to me to figure this thing out, so I am kind of in a bad posetion.
Thanks for listening, and for the help.
August 18th, 2003, 12:36 AM
I wouldn't really worry about it. Peeps from XP puters wanna browse the web: http (port 80) and https (port 443). Cheers!
August 18th, 2003, 12:40 AM
Thanks, I have come to the conclusion, that it is no big deal. BUT my Manager (boss) is aware of it, and he would like to know several things about it before we continue with the migration, he wants to know why its happening, what (service, app) is casuing it to happen, and can it be stopped, or should it be stopped.
August 18th, 2003, 12:44 AM
Are you running IIS or web based apps with SSL?
August 18th, 2003, 12:46 AM
This really is NOT my area so please forgive me if I am talking premium grade SH1T. I got rid of Black*** some years ago because I thought it was giving me somewhat "hypercautious" results.......could it be a software (firewall) problem. False positives and all that...cannot handle the mixed environment?.........I would never have it...heard too many tales of woe?....all those are hearsay of course...not my field, as I warned you.
Might I suggest that you get a trial of an alternative firewall product or two, and see if you get the same answers, and if they are highlighted the same. Also try a different AV products..........they will give you a 30 day trial..you do not have that long from what you say? You should really scan the lot with everything "on" as they say.
As for the threats to your job..........we have a saying over here............"the higher a monkey climbs a tree.........the more he shows his @ss" They really don't understand do they?
This is the mentality that allows things like 9/11 to happen."Do something about that fire alarm or you are fired"..............great I'll turn it off.................not quite the right thing to do, but that is what the "Boss" will achieve, and what he wants to (not) hear?.
Did you decide to go to 2000 server from XP?..............that is supposed to be backwards? I will bet that you have been put in a situation...you are not getting help because they are just after looking after themselves? They tried and couldn't hack it (oops...wrong turn of phrase in this environment? ) so they got you in as a "scapegoat" to take the blame?
I guess you should do some sample scanning of the XP clients?....just in case something got on them from the old XP server? You know, AV, trojans etc.
Also, try attaching a Win2K pro client, and see what you get with that. That is total "like to like", so it might tell you something.
I am pretty drunk now ( what do you mean you guessed that already) as it is 00.40 hrs here (Monday)
Good Luck my friend!
August 18th, 2003, 12:49 AM
Browsers like Opera, Internet Explorer used from the XP puters. Cheers!
August 18th, 2003, 12:50 AM
Are you running IIS or web based apps with SSL?
Nope IIS is disable, and there are no web base apps on the Windows 2000 Server.
August 18th, 2003, 01:08 AM
BTW, open task manager/view/select columns/check PID/OK, now remeber lsass.exe's PID, then do a netstat -ano. Cheers!
August 18th, 2003, 09:45 AM
Probably a silly question..... Why are you firewalling a production server from it's clients? If the server contains their data and you only have appropriate services running on the server to provide that data the server shouldn't need to be firewalled internally and will probably cause you little heartaches like this for the forseeable future.
I would move your firewall protection to the perimeter unless you have a specific reason for firewalling the server from your own machines.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
August 18th, 2003, 09:55 AM
WinXP has some odd behavier. If it tries to access a normal file share it will also try to use WebDAV. These are the port 80 and 443 connections you are seeing. Hook up a sniffer to make sure. You will notice WinXP doing an OPTIONS /filename when it tries to access a share. This seems to be by design. Go figure.
Edit: This seems to be caused by the WebClient Service on XP. Try and disable this service and recheck. The WebClient service will try to use WebDAV to access the file/share before it will use smb.
Experience is something you don't get until just after you need it.