|
Posted by Chris Coates on December 8, 2006, 10:48 am
Please log in for more thread options
--____IUWBGAEMONKFGDHQMCVK____
Content-Type: text/plain; charset=iso-8859-15
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline; modification-date="Sat, 8 Dec 2006 05:48:43
-0500"
I am working with a Win2003 AD DC, This server runs DNS,DHCP, RAS, WINS =
and is an FTP source as well as a file server and print server.
Yea I know this is terrible on a DC. This is not my network, I was just =
asked to try to solve this problem for someone.
For the last week their firewall logs have been recording large amounts of =
failed connections (about 12 a min.) coming from this DC to what appear to =
be a mix of different addresses. The traffic is coming from ports 445, and =
3389 (TS) mostly, but there is some from 139 as well.
I have scanned it with 2 different virus scanners, (with current DATs) and =
nothing is found. Event logs show nothing. Systernals (Microsoft) Regmon =
and Filemon show nothing obvious.
Not sure where to go from here, any useful suggestions are appreciated.
Thanks
Chris
--____IUWBGAEMONKFGDHQMCVK____
Content-Type: multipart/related; boundary="____GOYTUHIYTBHFEKWEEGYC____"
--____GOYTUHIYTBHFEKWEEGYC____
Content-Type: text/html; charset=iso-8859-15
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline; modification-date="Sat, 8 Dec 2006 05:48:43
-0500"
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-15=
">
<META content=3D"MSHTML 6.00.5730.11" name=3DGENERATOR></HEAD>
<BODY style=3D"MARGIN: 4px 4px 1px; FONT: 10pt Tahoma">
<DIV>I am working with a Win2003 AD DC, This server runs =
DNS,DHCP, RAS, WINS and is an FTP source as well as a file =
server and print server.</DIV>
<DIV> </DIV>
<DIV>Yea I know this is terrible on a DC. This is not my network, I =
was just asked to try to solve this problem for someone.</DIV>
<DIV> </DIV>
<DIV>For the last week their firewall logs have been recording large =
amounts of failed connections (about 12 a min.) coming from this DC to =
what appear to be a mix of different addresses. The traffic is coming from =
ports 445, and 3389 (TS) mostly, but there is some from 139 as =
well.</DIV>
<DIV>I have scanned it with 2 different virus scanners, (with current =
DATs) and nothing is found. Event logs show nothing. Systernals (Microsoft)=
Regmon and Filemon show nothing obvious.</DIV>
<DIV> </DIV>
<DIV>Not sure where to go from here, any useful suggestions are appreciated=
.</DIV>
<DIV> </DIV>
<DIV>Thanks</DIV>
<DIV> </DIV>
<DIV>Chris</DIV></BODY></HTML>
--____GOYTUHIYTBHFEKWEEGYC____--
--____IUWBGAEMONKFGDHQMCVK____--
|
|
Posted by Chris on December 8, 2006, 5:12 pm
Please log in for more thread options
Chris,
You may want to use something like TCPView from sysinternals to Identify
what process is trying to make thoose conenctions.
Chris
I am working with a Win2003 AD DC, This server runs DNS,DHCP, RAS, WINS and
is an FTP source as well as a file server and print server.
Yea I know this is terrible on a DC. This is not my network, I was just
asked to try to solve this problem for someone.
For the last week their firewall logs have been recording large amounts of
failed connections (about 12 a min.) coming from this DC to what appear to
be a mix of different addresses. The traffic is coming from ports 445, and
3389 (TS) mostly, but there is some from 139 as well.
I have scanned it with 2 different virus scanners, (with current DATs) and
nothing is found. Event logs show nothing. Systernals (Microsoft) Regmon and
Filemon show nothing obvious.
Not sure where to go from here, any useful suggestions are appreciated.
Thanks
Chris
|
|
Posted by Roger Abell [MVP] on December 9, 2006, 1:04 am
Please log in for more thread options Besides Tcpview, you could also try PortQry and PortRptr
http://support.microsoft.com/kb/837243
although a DC would have quite a bit going on.
I am working with a Win2003 AD DC, This server runs DNS,DHCP, RAS, WINS and
is an FTP source as well as a file server and print server.
Yea I know this is terrible on a DC. This is not my network, I was just
asked to try to solve this problem for someone.
For the last week their firewall logs have been recording large amounts of
failed connections (about 12 a min.) coming from this DC to what appear to
be a mix of different addresses. The traffic is coming from ports 445, and
3389 (TS) mostly, but there is some from 139 as well.
I have scanned it with 2 different virus scanners, (with current DATs) and
nothing is found. Event logs show nothing. Systernals (Microsoft) Regmon and
Filemon show nothing obvious.
Not sure where to go from here, any useful suggestions are appreciated.
Thanks
Chris
--------------------------------------------------------------------------------
I am working with a Win2003 AD DC, This server runs DNS,DHCP, RAS, WINS and
is an FTP source as well as a file server and print server.
Yea I know this is terrible on a DC. This is not my network, I was just
asked to try to solve this problem for someone.
For the last week their firewall logs have been recording large amounts of
failed connections (about 12 a min.) coming from this DC to what appear to
be a mix of different addresses. The traffic is coming from ports 445, and
3389 (TS) mostly, but there is some from 139 as well.
I have scanned it with 2 different virus scanners, (with current DATs) and
nothing is found. Event logs show nothing. Systernals (Microsoft) Regmon and
Filemon show nothing obvious.
Not sure where to go from here, any useful suggestions are appreciated.
Thanks
Chris
|
| Similar Threads | Posted | | Suspicious policy change | December 10, 2006, 7:42 am |
| User activity log | April 3, 2006, 8:26 pm |
| User web activity monitoring | October 29, 2007, 10:16 am |
| Tracking user account activity. | March 30, 2006, 12:27 pm |
| Windows 2003 server - How to protect my activity? | July 25, 2008, 6:47 am |
| "Network Service" account is UNABLE to write to a network shared folder | April 18, 2007, 7:01 pm |
| network is "gone" | December 13, 2006, 1:20 am |
| network is "gone" | December 13, 2006, 1:20 am |
| Using EFS with Network Shares and SFU 3.5 | November 21, 2006, 3:51 pm |
| Securing Network | January 31, 2008, 10:53 pm |
|
XML Sitemap