Need help: Port 445 flood

Discussion in 'Server Security' started by Ron King, Sep 13, 2004.

  1. Ron King

    Ron King Guest

    Hi,
    We have a server that is sending packets via port 445 to random server
    addresses. Have scanned and scanned for viruses with Trend Micro SPNT 5.58
    with latest CPR virus signature and have found nothing. Have scanned with
    spy bot and ad-aware and have found nothing. We find no unneeded or
    unfamiliar processes running, or no unneeded or unfamilar entry in the run
    or run once registry. We have blocked port 445 to the outside, so these
    floods are not reaching anyone. And it has not had an adverse effect on our
    network, as of yet. But we would really like to find the cause and put a
    stop to it. Any ideas would be greatly appreciated!

    Thank in advance,
    Ron King
    CCSI
     
    Ron King, Sep 13, 2004
    #1
    1. Advertisements

  2. Download some free tools from SysInternals - TCPView, Process Explorer, Autoruns, and
    Filemon. Start with TCPView which should show the process and executable associated
    with the port use. Process Explorer will give a lot more detail of processes if you
    look in the properties of the process possibly including related services which is
    helpful as many times svchost is the process or executable detected which can
    represent several services. Autoruns will show much more detail what
    processes/applications are initiated with computer startup. Filemon will display live
    time file access. Another thing that may work is to install a personal firewall on
    that server such as Sygate [free to try] and then when you boot it up after install
    it will prompt you for permissions to access the network for a process which the
    rouge process would probably do in short order.

    If you identify a process/executeable you can search Google or the anti virus
    vendor's websites for any possible info which may or may not help depending on if it
    is a randomly generated name. Also if you find something contact Trend Micro with
    your results for advice on what to do. Note that if you have a "root kit" infection
    that it will be hidden from normal means of detection such as using built in tools
    such as Task Manager to view processes. However if you scan the problem computers
    processes remotely from a clean machine you should find the rouge process by
    comapring to loally run process list. I am not sure if Process Explorer can detect
    root kit processes but SysInternals has PsList that can scn processes remotely. ---
    Steve

    http://www.sysinternals.com/ntw2k/freeware/pslist.shtml
    http://www.sysinternals.com/ntw2k/source/tcpview.shtml
     
    Steven L Umbach, Sep 14, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.