Broadcasting Traffic

V

venkatesh

Hi,
I have a windows 2000 server machine which we use as
both WEB server & FTP server. For past 2 days it has been
generating traffic. It keeps on uploading something, and
consumes all our internet bandwidth. I installed many
fixes and updates, but its of no use. i tried using the
command $netstat -a which showed a lot of established
connections and more than 1000 ports where opened
automatically which were in "LISTENING" state. what should
i do now ? Please help me to sort this issue. please mail
to (e-mail address removed)
 
A

andy smart

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

venkatesh wrote:
| Hi,
| I have a windows 2000 server machine which we use as
| both WEB server & FTP server. For past 2 days it has been
| generating traffic. It keeps on uploading something, and
| consumes all our internet bandwidth. I installed many
| fixes and updates, but its of no use. i tried using the
| command $netstat -a which showed a lot of established
| connections and more than 1000 ports where opened
| automatically which were in "LISTENING" state. what should
| i do now ? Please help me to sort this issue. please mail
| to (e-mail address removed)

Uploading what to where? You mention 'fixes and updates' but does that
include Anti-Virus and/or Anti-Spyware?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBUCqLqmlxlf41jHgRAqPXAJ9bxXR5FiTRKUajaET3lY9hSpyJ5ACg2p0Q
cSvgrxYAlhXCMUJmkp+Uqfk=
=r73U
-----END PGP SIGNATURE-----
 
G

Guest

i dont know what it is uploading... but its generating
something out ... how could i track what and where it is
uploading ? i have already installed latest service pack
and security patches to windows 2000. i have also
installed anti virus but not anti-spywares
 
P

PC

Ethereal is a great product used to analyse incoming and outgoing network
traffic.

Download it here http://www.ethereal.com/

Do you have a Firewall installed on the network or on this machine. Also,
have you an up to date virus scanner installed.

If you don't have a virus scanner - you should get one. In the mean time you
can perform a free scan here http://housecall.trendmicro.com/
 
G

Guest

hi

thanks for the eth real suggestion ... i got antivirus
scanner and it is update up-to date. i scanned for virus
and it did not show any infection. still the server is
broadcasting something ... i can view the full utilisation
of this server in router. pls tell me what should i do
now ?
 
A

andy smart

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(e-mail address removed) wrote:
| hi
|
| thanks for the eth real suggestion ... i got antivirus
| scanner and it is update up-to date. i scanned for virus
| and it did not show any infection. still the server is
| broadcasting something ... i can view the full utilisation
| of this server in router. pls tell me what should i do
| now ?
|
|
|
|>-----Original Message-----
|>Ethereal is a great product used to analyse incoming and
|
| outgoing network
|
|>traffic.
|>
|>Download it here http://www.ethereal.com/
|>
|>Do you have a Firewall installed on the network or on
|
| this machine. Also,
|
|>have you an up to date virus scanner installed.
|>
|>If you don't have a virus scanner - you should get one.
|
| In the mean time you
|
|>can perform a free scan here
|
| http://housecall.trendmicro.com/
|
|>
|>
|>|>
|>>i dont know what it is uploading... but its generating
|>>something out ... how could i track what and where it is
|>>uploading ? i have already installed latest service pack
|>>and security patches to windows 2000. i have also
|>>installed anti virus but not anti-spywares
|>>
|>>>-----Original Message-----
| venkatesh wrote:
| | Hi,
| | I have a windows 2000 server machine which we use
|
|> as
|
| | both WEB server & FTP server. For past 2 days it has
|>>>
|>>>been
|>>>
| | generating traffic. It keeps on uploading something,
|
|> and
|
| | consumes all our internet bandwidth. I installed many
| | fixes and updates, but its of no use. i tried using
|
|> the
|
| | command $netstat -a which showed a lot of established
| | connections and more than 1000 ports where opened
| | automatically which were in "LISTENING" state. what
|>>>
|>>>should
|>>>
| | i do now ? Please help me to sort this issue. please
|>>>
|>>>mail
|>>>
| | to (e-mail address removed)
|
| Uploading what to where? You mention 'fixes and
|
|> updates'
|
|>>>but does that
|>>>
| include Anti-Virus and/or Anti-Spyware?

Did you download Ethereal? If you use it you could see where your
network traffic was going and that might give you some clues as to what
is going on. Have you checked to make sure that there are no mystery
programs running on your server?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBUD5oqmlxlf41jHgRAuNMAKDKJcur1dL459GUrjaurXfbcn040ACfTAN1
aajcDvwcgdy3P1Q6FkqcMhU=
=8u2V
-----END PGP SIGNATURE-----
 
G

Guest

hi guys

thank you very much for your help... i have downloaded the
ethereal and now i am monitoring... will get back soon ...
and i use norton antivirus in my office ... i scanned for
virus and it did not show anything ... as per your
instruction i went to http://housecall.trendmicro.com/ and
scanned my server ... its is currently showing some
trojans and still it is scanning ... i guess this might
solve the problem ... i once again thank you very much for
sparing your valuable time me..
 
S

Steven L Umbach

For future reference you can also use free tools such as TVPView, Process Explorer,
and Autoruns from SysInternals to port to process mappings. process Explorer will
give much more detailed info on processes while Autoruns will startup programs
configured on your computer.

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

You also need to take steps to harden your computer from future problems and a clean
install is the best place to start from but that is your decision. The links below
will be helpful. Be sure to use complex passwords on your server, and use the IIS
Lockdown tool after backing up the server including the System State and the IIS
configuration as you can in the IIS Management Console. --- Steve

http://www.microsoft.com/technet/security/guidance/avdind_0.mspx
http://www.microsoft.com/downloads/...c0-bb30-47eb-9a61-fd755d23cdec&displaylang=en
http://www.microsoft.com/technet/security/chklist/w2ksvrcl.mspx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/tips/iis5chk.mspx
 
G

Guest

In addition to the advice you've already gotten, I recommend you also
consider these steps:

http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#startup
http://securityadmin.info/faq.asp#re-secure
http://securityadmin.info/faq.asp#harden

In particular, PSlist / PStools from www.sysinternals.com and Fport / Vision
from www.foundstone.com/knowledge can tell you what executables are listening
on which ports. Any personal firewall like the free www.kerio.com,
www.sygate.com and www.zonealarm.com will tell you what executable generated
outbound traffic. Ethereal is a great tool especially for advanced users or
where you don't have firewall logs, but these other tools are ones I would
use first.

At this point, you should determine how you were hacked and how to prevent
it from happening again, but after doing that, you might need to consider
whether you should format and reinstall and fully harden the computer after
that, using the instructions above and the info you learned from your
investigation.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top