Security Incidents mailing list archives

Re: Web server crashed, now is trying to contact an IP by port 80 every morning.

From: "lsi" <stuart () cyberdelix net>
Date: Tue, 25 Feb 2003 00:30:29 -0000

Hi Dan,

I'd monitor which process initiates the transfer by using a program such as FPORT.

http://www.mamma.com/Mamma?timeout=4&lang=1&affiliate_id=9282&query=fport

Then you can terminate the process and delete the executable, etc.

If you can't terminate the process because it has SYSTEM privileges, start the Task Manager with an AT 
command (set it for two minutes into the future).  Task Manager will then also be running as SYSTEM, and 
allow you to kill the process.

Cheers for now.
Stuart

On 23 Feb 2003 at 21:20, Dan Harpold wrote:

Subject:                Web server crashed, now is trying to contact an IP by port 80 every morning.
Date sent:              Sun, 23 Feb 2003 21:20:01 -0600
From:                   "Dan Harpold" <danharp () SeaburyTech com>
To:                     <incidents () seacurityfocus com>

My web server crashed the other day. Got a blue screen and on reboot
NTLDR was missing. I reinstalled and reformatted the drive. Simple W2K
Server with IIS 5 and current service packs. It sits in a DMZ.

Now, each morning (only 2 days so far) at 12:00:45 AM, the machine is
trying to contact an outside server via HTTP. The external request,
which is being blocked by my firewall, is trying to go to 64.0.96.14. It
logs about fifteen attempts over the next ten seconds, then doesn't
appear until the next morning.

Any thoughts?

Dan 


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>



-- 
Stuart Udall
stuart () cyberdelix net - http://www.cyberdelix.net/
..revolution through evolution

want to make some cash? check out http://cyberdelix.net/affiliates.htm


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

Current thread:

Web server crashed, now is trying to contact an IP by port 80 every morning. Dan Harpold (Feb 24)
- Re: Web server crashed, now is trying to contact an IP by port 80 every morning. lsi (Feb 25)
- <Possible follow-ups>
- RE: Web server crashed, now is trying to contact an IP by port 80 every morning. Dan Harpold (Feb 25)