Click here to get back home

W2K netstat detects port 1433 is listenning but fport does NOT..., can't start mission critical sql server !!!
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
W2K netstat detects port 1433 is listenning but fport does NOT..., can't start mission critical sql server !!! SammyBar 10-14-2005
Posted by SammyBar on October 14, 2005, 1:20 pm
Please log in for more thread options
 Hi all,

I have a problem with my Sql Server 2000 server. A malware captured the 1433
port when we restarted the SQL Server service. Now we have some users (that
uses TCP/IP to connect to the server instead named pipes) that can not
access to the server. The server is mission critical, can not be reset until
midnight to eliminate the virus. We want to kill the malware process but we
can not get the process id of the malware. We tryed with fport last version
downloaded from Foundstone but it does't lists the 1433 port as being in
use. But netstat -an clearly shows the 1433 port is listening. The Sql
Server Log says it could not be binded to 1433. So is it possible fport
fails to detect a process? Which other way can I use to detect the process
id of the malware apart of fport?

Thanks in advance
Sammy




Posted by David H. Lipman on October 14, 2005, 5:18 pm
Please log in for more thread options
| Hi all,
|
| I have a problem with my Sql Server 2000 server. A malware captured the 1433
| port when we restarted the SQL Server service. Now we have some users (that
| uses TCP/IP to connect to the server instead named pipes) that can not
| access to the server. The server is mission critical, can not be reset until
| midnight to eliminate the virus. We want to kill the malware process but we
| can not get the process id of the malware. We tryed with fport last version
| downloaded from Foundstone but it does't lists the 1433 port as being in
| use. But netstat -an clearly shows the 1433 port is listening. The Sql
| Server Log says it could not be binded to 1433. So is it possible fport
| fails to detect a process? Which other way can I use to detect the process
| id of the malware apart of fport?
|
| Thanks in advance
| Sammy
|

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one
Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE.
It will
simplify the process of using; Sophos, Trend, Kasperski and McAfee Anti Virus
Command Line
Scanners to
remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode. This
way all the components can be downloaded from each AV vendor’s web site. The
choices are;
Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm




Posted by Steven L Umbach on October 14, 2005, 5:59 pm
Please log in for more thread options
Try Process Explorer from SysInternals. In the properties of each process is
a page for tcp/ip info that will show if any port is used. TCPView may also
be helpful but Process Explorer is the king of process identification. You
also have the option to kill the process or process tree though that does
not work all the time. Also check your services as sometimes malware will
install as a service that you could try to stop/disable. --- Steve

http://www.sysinternals.com/Utilities/ProcessExplorer.html
http://www.sysinternals.com/Utilities/TcpView.html

> Hi all,
>
> I have a problem with my Sql Server 2000 server. A malware captured the
> 1433 port when we restarted the SQL Server service. Now we have some users
> (that uses TCP/IP to connect to the server instead named pipes) that can
> not access to the server. The server is mission critical, can not be reset
> until midnight to eliminate the virus. We want to kill the malware process
> but we can not get the process id of the malware. We tryed with fport last
> version downloaded from Foundstone but it does't lists the 1433 port as
> being in use. But netstat -an clearly shows the 1433 port is listening.
> The Sql Server Log says it could not be binded to 1433. So is it possible
> fport fails to detect a process? Which other way can I use to detect the
> process id of the malware apart of fport?
>
> Thanks in advance
> Sammy
>




Posted by SammyBar on October 14, 2005, 7:15 pm
Please log in for more thread options
I was able to find the process that is listening on 1433 port: It is the
System process! I can not shutdown it.
Anyway thanks for the help

Sammy




Posted by Roger Abell [MVP] on October 14, 2005, 11:19 pm
Please log in for more thread options
I am hearing you make the assumption that it is a light-weight malware,
which may/may not be so. That it shows as running in a System context
only means it is using that account and/or has attached into some process
tree started by System.

Feel good that it is showing at all as that tends to say it is not rootkit
you
are up against (yet).

You might want to try PortRptr to see if the logs help you narrow things
down
http://search.microsoft.com/search/results.aspx?st=b&na=88&View=en-us&qu=PortRptr

--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
>I was able to find the process that is listening on 1433 port: It is the
>System process! I can not shutdown it.
> Anyway thanks for the help
>
> Sammy
>




Similar ThreadsPosted
Re: Grant user right to remotely start stop server - can anybody help? March 10, 2006, 12:32 pm
Re: Grant user right to remotely start stop server - can anybody help? March 10, 2006, 12:41 pm
RPC Security Service fails to start on Windows 2003 Server July 12, 2007, 6:11 am
Win 2003 server port for authorized users January 10, 2006, 11:54 am
DHCP Server Changes Source Port In Middle of Connection March 29, 2008, 9:45 pm
Windows 2003: Netstat results mention microsoft-ds December 4, 2006, 1:40 am
Critical security hotfix causes event log warnings May 3, 2007, 1:30 pm
Can't start my own COM+ Application May 31, 2006, 6:43 am
Certificate Services will not start ... October 11, 2005, 11:01 am
Scheduled tasks "Could not start" May 2, 2006, 10:09 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap