[wplug] Need help...
Chris
vze2f6h6 at verizon.net
Thu Apr 3 10:15:27 EST 2003
> What is each server doing? Which is the web server, which is the
> firewall, what programs and versions are they running for their
> critical functions?
1 W2K AS, runs primarily Exchange 5.5
1 W2K AS, runs IIS 5.0
1 NT 4.0, runs our Back Office DB
1 NT 4.0, Shares, Fax system
1 RH running Intratnet site with MySQL backend
Sonicwall firewall appliance
> On which machine? What kind of firewall is this? Version of software?
It is an appliance
> So the problem is that you had excessive OUTGOING traffic from your
> network to the world.
Yes, It's flooding our firewall.
> Which is which? If the webserver is a W2K machine running IIS, well, uh,
> sorry.
The webserver is a W2K machine.
> No, reboots don't fix anything.
The server was off. I rebooted the firewall.
> So the server that was sending all this junk DID NOT report the
> connections with a local netstat? Sounds bad. Try burning a known-good
> copy of fport.exe from Foundstone and execute it *from the CD* of that
> server. Still nothing?
I will try that.
> Unless it's in a position that is able to monitor your entire network
> (e.g. doing routing/NAT for your clients), I don't think so. If the
> network is not switched and you just use hubs, you can leave a sniffer
> running on the RH box and the next time you get strange traffic you can
> analyze the packets and see if they contain any strings that seem to be
> looking for M$ vulnerabilities.
We do not use any hubs, and the RH box doesn't do any NATing. It is
something that I can setup if it persists and I am not coming up with
anything else.
Hope this helps. Sorry for the lack of info the first time.
More information about the wplug
mailing list