Windows

I know that the SETI program sends data on 5517.

It could be a virus using HTTP tunneling on that port also.

What is the one link that is using 5517?

check if you have IIS or FTP enabled. With older Windows Server Software this was on by default, without password protection, so someone could have started using your Server as an IIS or ftp server for his own purpose.

I know IIS is installed, I assume it's running.

We had a problem, not being able to download anything after upgrading the Symantec AV and it's taken me a couple of weeks to resolve this. I found that larger downloads were timing out before they could complete and even Trace Route would quite often time out, that's how I got onto the link traffic.

I can download small files from ftp sites, so I assume ftp is enabled too.

The server does need a password to log into it though.

What version of Symantec Antivirus did you install? Are you using the Corporate Edition, and if so, what components - i.e., desktop, server, Exchange, gateway, etc.? Also, how is it configured in terms of updating virus definitions and reporting viruses to SARC?

Some of this info would help alot either to identify what is going on with SAV, or eliminate it as a possible cause of the problem.

I upgraded to Symantec Corp AV 9.0 from 8.6
And Mail Security 4.5 from 4.0
The Server is running Windows 200 SBS with Exchange 2000 Std
All MS critical updates applied.
SUS cannot retrieve MS updates ? Times out. So downloading them manually.
Live Update currently won?t work either ? Times out, so I am using the Symantec Batch file to update on a daily basis. Everything is up to date except for the Avenge 1.5 definitions.
SARC ???

Dave

geez umm do you have ISA 2000 installed on your SBS 2000 box? If so, thats part of your problem with SUS and AV downloads from Symantec. Had the same problems year or so ago [couple years now].

I doubt very seriously that Norton Corporate is chewing up your bandwidth and though SUS can when you first try to sync with the Catalog server [took us more than a couple of hours with a DSL connection], doesnt sound like the problem.

Why don't you do a capture on the external NIC out to see whats coming and going? use the Netmon tools with SBS 2000.

It's Data FROM our Server that is at a constant high level. Data TO our Server is average, so I don't think it's SUS, unless it's constantly requesting, but I don't think that would use up all the bandwidth ?

If I knew exactly what was being downloaded from our server, it might give me a clue as to how to stop it ?

again, I'll say that you need to sniff some packets or do a netstat on the external interface and see whats active.

look at exchange SMTP virtual server and see whats in the SMTP connector queue or POP 3 if you use POP 3. Large unknown data going out all the time with Exchange up is a usual suspect of hyjacking.

Not at work right now - 11:30pm UK time.

I will try what you suggest in the morning, but the ISP did say there was no SMTP traffic, just general Web Traffic & this one port 5517 active.

Also the server only has one NIC and I understood that ISA can't be used if you only have one NIC in it ?