General discussion

Locked

Unknown traffic coming from my server!

By admin ·
I'm running a mission-critical Windows 2000 Server with SQL and web services. For the last week it's been generating 800K per second traffic in and out. I've replaced the NIC, to insure that it's not a freaked out hardware problem. I've run anti-virus scans on disks, memory and in safe mode, but NO change. I do not see any unusual usage in processes under task manager. PLEASE, can someone help give me a step-by-step method of finding what's generating this! HELP!

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by Curacao_Dejavu In reply to Unknown traffic coming fr ...

make sure you have w2ksp4 and sp3 of sql2000 installed.
http://tinyurl.com/4vne

consider to put the server behind a (hardware) firewall with only the ports requiered to connect to the web services (80) open.

Leopold

Collapse -

by Curacao_Dejavu In reply to

open a dos prompt and type in netstat to see what connections are to that server.
(or use active ports which is free)

Collapse -

by admin In reply to

I'm up-to-date on sp's. Thanks...I'll keep looking.

Collapse -

by mikex In reply to Unknown traffic coming fr ...

Download from www.sysinternals.com

TCPView for xp/2k

and see what's generating this huge trafic

Collapse -

by admin In reply to

TCPView did the trick..Thanks!

Collapse -

by razz2 In reply to Unknown traffic coming fr ...

I agree that you should check netstat, and TCPView may help too, but I just had a few questions as well as suggestions.

First of all, are you behind a firewall with good logging capabilities? If so check the log and see what the traffic source/destination is. You might even go so far as using Ethereal ( http://www.ethereal.com/ ) to analyze the traffic.

Second, You mentioned an anti-virus scan in safe mode, but does the traffic disappear in safe-mode? If so then try finding out if a service is doing it. Try scanning with Ad-Aware AND Spybot S&amp. I would even in normal mode stop Internet Information Services and see if that causes it to dissappear. If so then check your IIS install as it may have been compromised.

Good Luck,

razz

Collapse -

by admin In reply to

Poster rated this answer.

Collapse -

by admin In reply to Unknown traffic coming fr ...

Unfortunately, I am NOT behind a firewall yet. I have a PIX, and the move is on my to-do list.

TCPView revealed some suspicious processes, like "slave.exe" and some unwarranted connections. I ended thoses processes and it seemed to kill the traffic. I'm going to keep an eye on traffic til Monday late AM, and see if it re-occurs.

Collapse -

by admin In reply to Unknown traffic coming fr ...

This question was closed by the author

Back to Windows Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums