Windows 2000 server reboot shortly after portscan by lan pc

R

ray breen

Hi Guys,

got a wierd problem and all i can do is try to solve it
from a technical angle as senior management aint delaying
with the reason.

Basically one of the members of staff has been browsing
on 'dody sites' and has downloaded something to his pc,
that is scanning the whole lan at intermittent intervals
and shortly there after our windows 2000 server is either
being rebooted or shutdown. I have gone to the extreme
measure of having to firewall each users pc so at least
they do not go down, but cannot do this to windows 2000
server for obvious reasons.

The server has all the latest updates installed, along
with the users pc. This has happened inumerable times and
after rebuilding his pc, the problem goes away until he
decides to browse the 'sites' again.

The ports that are scanned are to do with netbios over
tcp/ip which I cannot disable due to other services being
dependant upon them. Ports 139 and both 445 are scanned,
so all i can assume is that some information is available
via these ports that causes the server to be rebooted.

There is nothing in any of the log files or any other
record of the reboot, so its very difficult to narrow the
exact cause.

Does anyone have any thoughts?

Cheers

Ray
 
K

Karl Levinson [x y] mvp

Unplug that computer immediately and [eventually] format it. I would want
to inspect it before formatting it, and/or interview the person doing the
downloading, to try to determine why this happened, what exactly was done,
what to look for and how to prevent it from happening again.

It could be a virus, like Welchia / Nachi. Update the antivirus and run a
scan. http://housecall.antivirus.com might be a good idea for a second
opinion scan. Also you could run MBSA free from Microsoft in HFNETCHK mode
to confirm that all patches were installed correctly.

Here are some things that might help you determine what files are causing
the problem:

http://securityadmin.info/faq.asp#hacked
www.cert.org/tech_tips/
http://securityadmin.info/faq.asp#re-secure
http://securityadmin.info/faq.asp#harden

For example, a free firewall such as www.sygate.com or www.kerio.com that
lets you inspect traffic and see what exe is generating it, fport or vision
free from www.foundstone.com/knowledge, the free filemon and regmon and
process explorer from www.sysinternals.com, the free SIM from www.gfi.com,
etc.

Once you get the files, if antivirus is not detecting them as anything
malicious, submit them to one or more antivirus vendors, and inspect the
files using Notepad or a program from www.foundstone.com/knowledge or
www.sysinternals.com that will let you look at text "strings" in the files.
If questions, post them here.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top