General discussion


Server's Internet Link is being Hammered

By dfb ·
For the last couple of weeks, since I upgraded our Symantec AV, our Internet connection has seemed rather slow.

I have just discovered that our Server is constantly sending data to the Internet and using up all our Bandwidth !

Having spoken to our ISP, they are unable to tell me why or what is going on. They say there are several Std Web links, plus one link using port 5517 which they can?t identify.

Does anyone know what might be going on and how to stop it ?

I can supply more info if required

Regards, Dave

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by BFilmFan In reply to Server's Internet Link is ...

I know that the SETI program sends data on 5517.

It could be a virus using HTTP tunneling on that port also.

What is the one link that is using 5517?

Collapse -

by rindi1 In reply to Server's Internet Link is ...

check if you have IIS or FTP enabled. With older Windows Server Software this was on by default, without password protection, so someone could have started using your Server as an IIS or ftp server for his own purpose.

Collapse -

by dfb In reply to Server's Internet Link is ...

I know IIS is installed, I assume it's running.

We had a problem, not being able to download anything after upgrading the Symantec AV and it's taken me a couple of weeks to resolve this. I found that larger downloads were timing out before they could complete and even Trace Route would quite often time out, that's how I got onto the link traffic.

I can download small files from ftp sites, so I assume ftp is enabled too.

The server does need a password to log into it though.

Collapse -

by curlergirl In reply to Server's Internet Link is ...

What version of Symantec Antivirus did you install? Are you using the Corporate Edition, and if so, what components - i.e., desktop, server, Exchange, gateway, etc.? Also, how is it configured in terms of updating virus definitions and reporting viruses to SARC?

Some of this info would help alot either to identify what is going on with SAV, or eliminate it as a possible cause of the problem.

Collapse -

by dfb In reply to Server's Internet Link is ...

I upgraded to Symantec Corp AV 9.0 from 8.6
And Mail Security 4.5 from 4.0
The Server is running Windows 200 SBS with Exchange 2000 Std
All MS critical updates applied.
SUS cannot retrieve MS updates ? Times out. So downloading them manually.
Live Update currently won?t work either ? Times out, so I am using the Symantec Batch file to update on a daily basis. Everything is up to date except for the Avenge 1.5 definitions.
SARC ???


Collapse -

by CG IT In reply to Server's Internet Link is ...

geez umm do you have ISA 2000 installed on your SBS 2000 box? If so, thats part of your problem with SUS and AV downloads from Symantec. Had the same problems year or so ago [couple years now].

I doubt very seriously that Norton Corporate is chewing up your bandwidth and though SUS can when you first try to sync with the Catalog server [took us more than a couple of hours with a DSL connection], doesnt sound like the problem.

Why don't you do a capture on the external NIC out to see whats coming and going? use the Netmon tools with SBS 2000.

Collapse -

by CG IT In reply to

better yet if its going on right now, send everyone that has internet access a admin message that the Internet connection will be down for a half hour or so, unplug your Internet connection on your external NIC and then watch for errors that pop up in the Event viewer in application and security. If you have a security breech with an active program and you unplug the Internet connection, the appl will generate an error messsage into the event viewer. IF you have ISA server installed [if you don't you should, its free with SBS 2000] that can monitor your traffic and programs and give detail reports of whats going on.

Collapse -

by dfb In reply to Server's Internet Link is ...

It's Data FROM our Server that is at a constant high level. Data TO our Server is average, so I don't think it's SUS, unless it's constantly requesting, but I don't think that would use up all the bandwidth ?

If I knew exactly what was being downloaded from our server, it might give me a clue as to how to stop it ?

Collapse -

by CG IT In reply to Server's Internet Link is ...

again, I'll say that you need to sniff some packets or do a netstat on the external interface and see whats active.

look at exchange SMTP virtual server and see whats in the SMTP connector queue or POP 3 if you use POP 3. Large unknown data going out all the time with Exchange up is a usual suspect of hyjacking.

Collapse -

by dfb In reply to Server's Internet Link is ...

Not at work right now - 11:30pm UK time.

I will try what you suggest in the morning, but the ISP did say there was no SMTP traffic, just general Web Traffic & this one port 5517 active.

Also the server only has one NIC and I understood that ISA can't be used if you only have one NIC in it ?

Related Discussions

Related Forums