Re: Truly Bizarre outbound traffic when I have open TS connection to DNS server
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 05/31/04
- Next message: Roger Abell: "Re: Truly Bizarre outbound traffic when I have open TS connection to DNS server"
- Previous message: Roger Abell [MVP]: "Re: New domaintree in existing forest (VPN routed)"
- In reply to: wsmith_at_wbur.bu.edu: "Re: Truly Bizarre outbound traffic when I have open TS connection to DNS server"
- Next in thread: Roger Abell: "Re: Truly Bizarre outbound traffic when I have open TS connection to DNS server"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 30 May 2004 22:09:41 -0700
A few things.
First, the cache in the DNS server will show when you
turn on View / Advanced
It is very strange that 1) this happens only once TS
session begins, and 2) this walks through ephemeral
ports looking for an allowed route out.
Trapping a trace of an admin TS session to a DC is
a high prize.
Check the full path of the second explorer.exe, to make
sure it is the real explorer.exe. Now, TS is different
and you were not clear whether you were looking at all
processes or only those of the session, but within one
session there can/will only ever be one instance of the
explorer.exe process. There are know malware that
install a file named explorer.exe in the system32 folder.
Yes, the symptoms never matched DNS hebavior, but
you have now made that conclusive.
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA <wsmith@wbur.bu.edu> wrote in message news:8cudnRDszMEonCTdRVn-gg@giganews.com... > More clues here. So i tried shutting down dns and watching the logs. The > outbound connections CONTINUE even though I have dns stopped. I also > started logging all dns packets and there's nothing in the logs that I can > find that relates. > > Secondly, When I log on to the DC through Terminal Services, a 2nd > "explorer.exe" process starts and that Is the process that is making these > outbound connections. If I kill the process through Task Mananger, the > outbound traffic STOPS and wont' start again until I log off TS and then log > back in (at which time a new 2nd explorer process spawns and begins the > outbound requests.) > > The DC is the only machine with this behavior. There is only ever 1 > explorer.exe process on my other windows 2000/2003 servers, regardless > regardless of whether im connected via TS or not. > > So i guess ive narrowed it down to a rogue explorer.exe process that spawns > when I log on via terminal server. I use HP boxes with ILO and when I > connect to the ILO console, no such 2nd explorer.exe process spawns. Its > only when I connect via TS. > > I suppose that means this thread is no longer on topic for this NG, but what > do you guys think? > > w
- Next message: Roger Abell: "Re: Truly Bizarre outbound traffic when I have open TS connection to DNS server"
- Previous message: Roger Abell [MVP]: "Re: New domaintree in existing forest (VPN routed)"
- In reply to: wsmith_at_wbur.bu.edu: "Re: Truly Bizarre outbound traffic when I have open TS connection to DNS server"
- Next in thread: Roger Abell: "Re: Truly Bizarre outbound traffic when I have open TS connection to DNS server"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
Loading
