Hi!

My server shut downs unexpected randomly. Evend log only shows "Last
shutdown was unspected".
I checked everythink, and i changed switch, cable and ... computer! I
changed computer 2 times, and network card! I applied registry
recomendations of microsoft to improve TCP security.And the problem persist!
Theres is a expert people here (MCP, MVP) without answer for this question.

My computer has a public IP, but is behind a firewall, and only with open
TCP ports to a custom application. (this application was working fine for 6
months).

The question is this: IS POSSIBLE TO HANG A WIN200 COMPUTER WITH A MALFORMED
OR SOME KIND OF TCP PACKETS?

Thank you in advance!!!!!

Pet.
to msoft people: if you think that this can be a bug of tcp/ip stack, and do
you want to analyze it, i can offer to you to take full control over this
server.

It is possible, but only one possiblity. Before you start goijng down the
network attack path, check your System, Application and Security event logs
for ANY recent event errors that may give you some type of a clue to what
may have caused the shutdown.

--

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.


"Peter Slam" <(E-Mail Removed)> wrote in message
news:uPKX#Ir#(E-Mail Removed)...
> Hi!
>
> My server shut downs unexpected randomly. Evend log only shows "Last
> shutdown was unspected".
> I checked everythink, and i changed switch, cable and ... computer! I
> changed computer 2 times, and network card! I applied registry
> recomendations of microsoft to improve TCP security.And the problem
persist!
> Theres is a expert people here (MCP, MVP) without answer for this
question.
>
> My computer has a public IP, but is behind a firewall, and only with open
> TCP ports to a custom application. (this application was working fine for
6
> months).
>
> The question is this: IS POSSIBLE TO HANG A WIN200 COMPUTER WITH A
MALFORMED
> OR SOME KIND OF TCP PACKETS?
>
> Thank you in advance!!!!!
>
> Pet.
> to msoft people: if you think that this can be a bug of tcp/ip stack, and
do
> you want to analyze it, i can offer to you to take full control over this
> server.
>
>
>

Marc,

System, Application and Security event logs are EMPTY!
In one of the machines tested, one time is see a "bluescreen" with NDIS
error before restart.

There is a patch to make more secure TCP/IP stack? (even if this is
expeerimental or in beta stage, i will try it!)

Thanks,

Pet.


"Marc Reynolds [MSFT]" <(E-Mail Removed)> wrote in message
news:edGWEEt%(E-Mail Removed)...
> It is possible, but only one possiblity. Before you start goijng down the
> network attack path, check your System, Application and Security event
logs
> for ANY recent event errors that may give you some type of a clue to what
> may have caused the shutdown.
>
> --
>
> Thanks,
> Marc Reynolds
> Microsoft Technical Support
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> "Peter Slam" <(E-Mail Removed)> wrote in message
> news:uPKX#Ir#(E-Mail Removed)...
> > Hi!
> >
> > My server shut downs unexpected randomly. Evend log only shows "Last
> > shutdown was unspected".
> > I checked everythink, and i changed switch, cable and ... computer! I
> > changed computer 2 times, and network card! I applied registry
> > recomendations of microsoft to improve TCP security.And the problem
> persist!
> > Theres is a expert people here (MCP, MVP) without answer for this
> question.
> >
> > My computer has a public IP, but is behind a firewall, and only with
open
> > TCP ports to a custom application. (this application was working fine
for
> 6
> > months).
> >
> > The question is this: IS POSSIBLE TO HANG A WIN200 COMPUTER WITH A
> MALFORMED
> > OR SOME KIND OF TCP PACKETS?
> >
> > Thank you in advance!!!!!
> >
> > Pet.
> > to msoft people: if you think that this can be a bug of tcp/ip stack,
and
> do
> > you want to analyze it, i can offer to you to take full control over
this
> > server.
> >
> >
> >
>
>

First things first - do you have a good UPS with a management cable? If not,
you may have experienced power problems....

Peter Slam wrote:
> Hi!
>
> My server shut downs unexpected randomly. Evend log only shows "Last
> shutdown was unspected".
> I checked everythink, and i changed switch, cable and ... computer! I
> changed computer 2 times, and network card! I applied registry
> recomendations of microsoft to improve TCP security.And the problem
> persist! Theres is a expert people here (MCP, MVP) without answer for
> this question.
>
> My computer has a public IP, but is behind a firewall, and only with
> open TCP ports to a custom application. (this application was working
> fine for 6 months).
>
> The question is this: IS POSSIBLE TO HANG A WIN200 COMPUTER WITH A
> MALFORMED OR SOME KIND OF TCP PACKETS?
>
> Thank you in advance!!!!!
>
> Pet.
> to msoft people: if you think that this can be a bug of tcp/ip stack,
> and do you want to analyze it, i can offer to you to take full
> control over this server.

This server is inside a high security hosting building, with 2 lines of
power. I tryied 2 lines. This is not the problem.

(

"Lanwench [MVP - Exchange]"
<(E-Mail Removed)> wrote in message
news:us7xLPv%(E-Mail Removed)...
> First things first - do you have a good UPS with a management cable? If
not,
> you may have experienced power problems....
>
> Peter Slam wrote:
> > Hi!
> >
> > My server shut downs unexpected randomly. Evend log only shows "Last
> > shutdown was unspected".
> > I checked everythink, and i changed switch, cable and ... computer! I
> > changed computer 2 times, and network card! I applied registry
> > recomendations of microsoft to improve TCP security.And the problem
> > persist! Theres is a expert people here (MCP, MVP) without answer for
> > this question.
> >
> > My computer has a public IP, but is behind a firewall, and only with
> > open TCP ports to a custom application. (this application was working
> > fine for 6 months).
> >
> > The question is this: IS POSSIBLE TO HANG A WIN200 COMPUTER WITH A
> > MALFORMED OR SOME KIND OF TCP PACKETS?
> >
> > Thank you in advance!!!!!
> >
> > Pet.
> > to msoft people: if you think that this can be a bug of tcp/ip stack,
> > and do you want to analyze it, i can offer to you to take full
> > control over this server.
>
>

More information:

Application reports "Failed to call socket() function. ret value:
INVALID_SOCKET".

What do you think?

THANK YOU IN ADVANCE!

Pet.

"Peter Slam" <(E-Mail Removed)> wrote in message
news:uPKX%23Ir%(E-Mail Removed)...
> Hi!
>
> My server shut downs unexpected randomly. Evend log only shows "Last
> shutdown was unspected".
> I checked everythink, and i changed switch, cable and ... computer! I
> changed computer 2 times, and network card! I applied registry
> recomendations of microsoft to improve TCP security.And the problem
persist!
> Theres is a expert people here (MCP, MVP) without answer for this
question.
>
> My computer has a public IP, but is behind a firewall, and only with open
> TCP ports to a custom application. (this application was working fine for
6
> months).
>
> The question is this: IS POSSIBLE TO HANG A WIN200 COMPUTER WITH A
MALFORMED
> OR SOME KIND OF TCP PACKETS?
>
> Thank you in advance!!!!!
>
> Pet.
> to msoft people: if you think that this can be a bug of tcp/ip stack, and
do
> you want to analyze it, i can offer to you to take full control over this
> server.
>
>
>

does the invalid socket error always occur in conjunction with the
unexpected shutdown?

"Peter Slam" <(E-Mail Removed)> wrote in message
news:OWoUm5v%(E-Mail Removed)...
> More information:
>
> Application reports "Failed to call socket() function. ret value:
> INVALID_SOCKET".
>
> What do you think?
>
> THANK YOU IN ADVANCE!
>
> Pet.
>
> "Peter Slam" <(E-Mail Removed)> wrote in message
> news:uPKX%23Ir%(E-Mail Removed)...
> > Hi!
> >
> > My server shut downs unexpected randomly. Evend log only shows "Last
> > shutdown was unspected".
> > I checked everythink, and i changed switch, cable and ... computer! I
> > changed computer 2 times, and network card! I applied registry
> > recomendations of microsoft to improve TCP security.And the problem
> persist!
> > Theres is a expert people here (MCP, MVP) without answer for this
> question.
> >
> > My computer has a public IP, but is behind a firewall, and only with
open
> > TCP ports to a custom application. (this application was working fine
for
> 6
> > months).
> >
> > The question is this: IS POSSIBLE TO HANG A WIN200 COMPUTER WITH A
> MALFORMED
> > OR SOME KIND OF TCP PACKETS?
> >
> > Thank you in advance!!!!!
> >
> > Pet.
> > to msoft people: if you think that this can be a bug of tcp/ip stack,
and
> do
> > you want to analyze it, i can offer to you to take full control over
this
> > server.
> >
> >
> >
>
>

Peter,

Having just stumbled across your threadI'm shooting in the dark, but I'll
hit one thing you've probably checked...your NIC drivers.
I'm guessing you have recently installed Windows 2000 Service Pack 4 (this
would explain all the empty logs...
http://support.microsoft.com/default...roduct=win2000).
If your NIC drivers were originally OEM (manufacturer-labeled, for example,
Dell branded drivers for embedded 3COM cards), the Service Pack installation
could have overwritten those drivers with Microsoft native-Windows 2000
drivers. This could account for your noted blue-screen event.

I'll also hit one thing you may not have checked, in your local security
policy...
Do you have "Shut down system immediately if unable to log security audits"
enabled (this is found in Local policies...Security Options)? If you are
auditing improperly (generating enough events to exceed the max size of your
security log and not allowing those events to be overwritten), your Security
Log could be filling up and shutting down your system. The aforementioned
Service Pack 4 installation could be causing this issue...assuming you
installed SP 4, your event logs may (likely are) being corrupted and while
appearing empty, one or more are actually full. The corruption could be
preventing entries from being written and the abve mentioned security
setting could be shutting you down when you reach an event logging
threshhold.

I realize this may be a bit esoteric, but it sounds like you are looking for
unusual explanations at this point. I will say that I've never heard of
anyone attacking a system in the fashion your describing, so I would think
something malicious would still be far down the list of suspects (almost to
the point of only if it is the only answer left).

Charlie


"Peter Slam" <(E-Mail Removed)> wrote in message
news:ezBCTRt%(E-Mail Removed)...
> Marc,
>
> System, Application and Security event logs are EMPTY!
> In one of the machines tested, one time is see a "bluescreen" with NDIS
> error before restart.
>
> There is a patch to make more secure TCP/IP stack? (even if this is
> expeerimental or in beta stage, i will try it!)
>
> Thanks,
>
> Pet.
>
>
> "Marc Reynolds [MSFT]" <(E-Mail Removed)> wrote in message
> news:edGWEEt%(E-Mail Removed)...
> > It is possible, but only one possiblity. Before you start goijng down
the
> > network attack path, check your System, Application and Security event
> logs
> > for ANY recent event errors that may give you some type of a clue to
what
> > may have caused the shutdown.
> >
> > --
> >
> > Thanks,
> > Marc Reynolds
> > Microsoft Technical Support
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
> > "Peter Slam" <(E-Mail Removed)> wrote in message
> > news:uPKX#Ir#(E-Mail Removed)...
> > > Hi!
> > >
> > > My server shut downs unexpected randomly. Evend log only shows "Last
> > > shutdown was unspected".
> > > I checked everythink, and i changed switch, cable and ... computer! I
> > > changed computer 2 times, and network card! I applied registry
> > > recomendations of microsoft to improve TCP security.And the problem
> > persist!
> > > Theres is a expert people here (MCP, MVP) without answer for this
> > question.
> > >
> > > My computer has a public IP, but is behind a firewall, and only with
> open
> > > TCP ports to a custom application. (this application was working fine
> for
> > 6
> > > months).
> > >
> > > The question is this: IS POSSIBLE TO HANG A WIN200 COMPUTER WITH A
> > MALFORMED
> > > OR SOME KIND OF TCP PACKETS?
> > >
> > > Thank you in advance!!!!!
> > >
> > > Pet.
> > > to msoft people: if you think that this can be a bug of tcp/ip stack,
> and
> > do
> > > you want to analyze it, i can offer to you to take full control over
> this
> > > server.
> > >
> > >
> > >
> >
> >
>
>

Yes! First all connections to system fails (RCP, my application, ...etc),
and then, in a few minuts, systems restarts.

What can i do!!!

"Dave" <(E-Mail Removed)> wrote in message
news:%23nb%23UQw%(E-Mail Removed)...
> does the invalid socket error always occur in conjunction with the
> unexpected shutdown?
>
> "Peter Slam" <(E-Mail Removed)> wrote in message
> news:OWoUm5v%(E-Mail Removed)...
> > More information:
> >
> > Application reports "Failed to call socket() function. ret value:
> > INVALID_SOCKET".
> >
> > What do you think?
> >
> > THANK YOU IN ADVANCE!
> >
> > Pet.
> >
> > "Peter Slam" <(E-Mail Removed)> wrote in message
> > news:uPKX%23Ir%(E-Mail Removed)...
> > > Hi!
> > >
> > > My server shut downs unexpected randomly. Evend log only shows "Last
> > > shutdown was unspected".
> > > I checked everythink, and i changed switch, cable and ... computer! I
> > > changed computer 2 times, and network card! I applied registry
> > > recomendations of microsoft to improve TCP security.And the problem
> > persist!
> > > Theres is a expert people here (MCP, MVP) without answer for this
> > question.
> > >
> > > My computer has a public IP, but is behind a firewall, and only with
> open
> > > TCP ports to a custom application. (this application was working fine
> for
> > 6
> > > months).
> > >
> > > The question is this: IS POSSIBLE TO HANG A WIN200 COMPUTER WITH A
> > MALFORMED
> > > OR SOME KIND OF TCP PACKETS?
> > >
> > > Thank you in advance!!!!!
> > >
> > > Pet.
> > > to msoft people: if you think that this can be a bug of tcp/ip stack,
> and
> > do
> > > you want to analyze it, i can offer to you to take full control over
> this
> > > server.
> > >
> > >
> > >
> >
> >
>
>

Charlie,

Thank you very much for your answer.

I tried 3 diferent computer with 3 diferent network cards.
Event log is in "Overwrite when necessary" mode, but is not full.
I will check again drivers and Local policies, but every time, a few minutes
before system shutdown or restart, every connection to comuter fails (RCP,
my application, ...etc).
I changed switch, cable, power line and source, computer, network
card....all!
The only think that is the same is ... IP address.
And my aplication reports "Failed to call socket() function. ret
value:INVALID_SOCKET" a few minutes before shutdown or restart (this
application was working fine for 6 months until now).

There is a debug tool to show buffers or other internal values of TCP/IP
stack?

Thank you.

Pet.

"Charles Otstot" <(E-Mail Removed)> wrote in message
news:uLKhWgw%(E-Mail Removed)...
> Peter,
>
> Having just stumbled across your threadI'm shooting in the dark, but I'll
> hit one thing you've probably checked...your NIC drivers.
> I'm guessing you have recently installed Windows 2000 Service Pack 4 (this
> would explain all the empty logs...
>
http://support.microsoft.com/default...roduct=win2000).
> If your NIC drivers were originally OEM (manufacturer-labeled, for
example,
> Dell branded drivers for embedded 3COM cards), the Service Pack
installation
> could have overwritten those drivers with Microsoft native-Windows 2000
> drivers. This could account for your noted blue-screen event.
>
> I'll also hit one thing you may not have checked, in your local security
> policy...
> Do you have "Shut down system immediately if unable to log security
audits"
> enabled (this is found in Local policies...Security Options)? If you are
> auditing improperly (generating enough events to exceed the max size of
your
> security log and not allowing those events to be overwritten), your
Security
> Log could be filling up and shutting down your system. The aforementioned
> Service Pack 4 installation could be causing this issue...assuming you
> installed SP 4, your event logs may (likely are) being corrupted and while
> appearing empty, one or more are actually full. The corruption could be
> preventing entries from being written and the abve mentioned security
> setting could be shutting you down when you reach an event logging
> threshhold.
>
> I realize this may be a bit esoteric, but it sounds like you are looking
for
> unusual explanations at this point. I will say that I've never heard of
> anyone attacking a system in the fashion your describing, so I would think
> something malicious would still be far down the list of suspects (almost
to
> the point of only if it is the only answer left).
>
> Charlie
>
>
> "Peter Slam" <(E-Mail Removed)> wrote in message
> news:ezBCTRt%(E-Mail Removed)...
> > Marc,
> >
> > System, Application and Security event logs are EMPTY!
> > In one of the machines tested, one time is see a "bluescreen" with NDIS
> > error before restart.
> >
> > There is a patch to make more secure TCP/IP stack? (even if this is
> > expeerimental or in beta stage, i will try it!)
> >
> > Thanks,
> >
> > Pet.
> >
> >
> > "Marc Reynolds [MSFT]" <(E-Mail Removed)> wrote in message
> > news:edGWEEt%(E-Mail Removed)...
> > > It is possible, but only one possiblity. Before you start goijng down
> the
> > > network attack path, check your System, Application and Security event
> > logs
> > > for ANY recent event errors that may give you some type of a clue to
> what
> > > may have caused the shutdown.
> > >
> > > --
> > >
> > > Thanks,
> > > Marc Reynolds
> > > Microsoft Technical Support
> > >
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > >
> > >
> > > "Peter Slam" <(E-Mail Removed)> wrote in message
> > > news:uPKX#Ir#(E-Mail Removed)...
> > > > Hi!
> > > >
> > > > My server shut downs unexpected randomly. Evend log only shows "Last
> > > > shutdown was unspected".
> > > > I checked everythink, and i changed switch, cable and ... computer!
I
> > > > changed computer 2 times, and network card! I applied registry
> > > > recomendations of microsoft to improve TCP security.And the problem
> > > persist!
> > > > Theres is a expert people here (MCP, MVP) without answer for this
> > > question.
> > > >
> > > > My computer has a public IP, but is behind a firewall, and only with
> > open
> > > > TCP ports to a custom application. (this application was working
fine
> > for
> > > 6
> > > > months).
> > > >
> > > > The question is this: IS POSSIBLE TO HANG A WIN200 COMPUTER WITH A
> > > MALFORMED
> > > > OR SOME KIND OF TCP PACKETS?
> > > >
> > > > Thank you in advance!!!!!
> > > >
> > > > Pet.
> > > > to msoft people: if you think that this can be a bug of tcp/ip
stack,
> > and
> > > do
> > > > you want to analyze it, i can offer to you to take full control over
> > this
> > > > server.
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>