Re: Virus that causes a lot of traffic ?
From: Dana Brash (dbrash_at_NOSPAM.gmail.com)
Date: 11/28/04
- Next message: Steve Hathaway: "Reset "registered file type" on windows 2000 terminal server"
- Previous message: Kevin Longley: "Re: Master Printer"
- In reply to: Paul fpvt2: "Re: Virus that causes a lot of traffic ?"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 29 Nov 2004 07:38:59 +0800
Hi Paul,
By 'What happens when you stop the services' I mean does the 'traffic'
(still undefined) go away?
Which is related to your other question.
The difference is between 'affected' and 'infected'. An INfected computer
and Affect other computers on the network.
If the INfected computer has a SQL specific virus (e.g. Slammer) then it may
Affect other SQL Servers on the network because it is trying to INfect them.
-- HTH, =d= Dana Brash MCSE, MCDBA, MCSA dbrash@NOSPAM.gmail.com "Paul fpvt2" <anonymous@discussions.microsoft.com> wrote in message news:986c01c4d593$f8c538c0$a401280a@phx.gbl... > Thank you very much. > > >What exactly are your symptoms? When you say heavy > >traffic, that means that you are seeing a lot of packets > >going across the NIC because users or processes are > >requesting information from the server or putting it on > >the server. Do you see high bandwidth usage, or are you > >perhaps experience high CPU and/or RAM usage? > I will ask our network administrator regarding this. > > >Running 'netstat -a -n' on the patched servers will show > >what connections are open > I will do it on Monday and let you know what I found. > > >What happens if you stop theSQL services on those two > >servers? > Did you mean if I stop theSQL services on those two > patched servers, what happens when running 'netstat -a - > n' or what happen to the heavy traffic ? > > You mentioned that "If you have one server infected, or > one client infected, a virus can generate traffic on the > network that can bring it down. It almost makes sense > that your 1 unpatched server would have the virus if only > the other two SQL servers are affected". > May I know why does it make sense for the 2 patched SQL > Servers to be affected, I would think it would affect the > 1 unpatched SQL Server ? > > Thanks a lot. > > > >-----Original Message----- > >see in-line.... > > > >-- > >HTH, > >=d= > > > > > >Dana Brash > >MCSE, MCDBA, MCSA > > > >dbrash@NOSPAM.gmail.com > > > >"Paul fpvt2" <anonymous@discussions.microsoft.com> wrote > in message > >news:0ccc01c4d565$b1c13920$a501280a@phx.gbl... > >> Thank you very much. > >> Is NETMON does the same thing as Ethereal ? > >yes essentially. It is MS's network monitoring utility. > > > >> > >> In our case, say we have 3 Win2000 servers. 2 of them > >> have SQL Server 2000 SP3 installed, and 1 does not (the > >> application in that machine does not work with a > >> different version of SQL Server). > > > >Upgrade the application, or scrap it and buy something > from a company that > >cares about your security. > > > >> The heavy traffic > >> occured at the 2 servers with the SQL Server SP3. > > > >What exactly are your symptoms? When you say heavy > traffic, that means that > >you are seeing a lot of packets going across the NIC > because users or > >processes are requesting information from the server or > putting it on the > >server. Do you see high bandwidth usage, or are you > perhaps experience high > >CPU and/or RAM usage? > > > >> Before > >> I told my boss that the heavy traffic definitely not > >> caused by SQL Slammer, I would like to make sure the > >> following. Is it possible for the 1 server machine that > >> does not have SQL Server SP3 installed to cause the > heavy > >> traffic at the other 2 servers ? > >> > > > >Of course. If you have one server infected, or one > client infected, a virus > >can generate traffic on the network that can bring it > down. It almost makes > >sense that your 1 unpatched server would have the virus > if only the other > >two SQL servers are affected. Running 'netstat -a -n' > on the patched > >servers will show what connections are open. What > happens if you stop the > >SQL services on those two servers? > > > >> Also, if any of the client machine does not have the > >> latest antivirus definition, is it possible for the > >> client machine to infect the servers (even though all > the > >> servers have the latest antivirus definition) > > > >You're using Symantec: get a second opinion. It is not > possible for one > >machine to infect another machine that has AV to protect > it from the > >infection. That is the point of AV software. HOWEVER, > an infected machine > >can, of course, generate traffic to a non-infected > machine, which would: > > > >> and cause > >> the heavy traffic at the servers ? > > > >> > >> Thank you very much. > >> > >> >-----Original Message----- > >> >If you really need to convince your boss that it's not > >> Slammer, it sounds > >> >like you're probably going to have to find the culprit > >> and prove it. (It's > >> >not Slammer, you're patched and you've double checked) > >> You could run some > >> >network monitoring tools to see what traffic is > actually > >> being generated on > >> >the network as well. Try running NETMON and looking > for > >> what ports are > >> >being used, where the packets are coming from and > where > >> they're headed, etc. > >> >Using a HUB in place of a switch will help you see all > >> the broadcast packets > >> >on the network. Also run 'netstat -a -n' on the > servers > >> to see what > >> >connections are open and connected. > >> > > >> >You can also look at the open connections to the > >> server's shares in Computer > >> >Management (compmgmt.msc) under Systems Tools > Shared > >> Folders > Sessions > >> >and Open Files. This may even tell you which clients > >> are infected by > >> >looking at which systems are making connections. > >> > > >> >And not to be disrespectful of Symantec AV (other than > >> to say I won't use > >> >it), but you might try running a different AV > >> application with the latest > >> >updates to see if it doesn't find something Symantec > >> isn't. You can > >> >download a 30 day trial of eTrust from ca.com that > might > >> fit the bill. If > >> >you do, make sure you use heuristic scanning. I > >> recently had a customer who > >> >was infected with a variant of W32.Gaobot that wasn't > >> found until using > >> >heuristic scanning. BTW, the traffic generated by > >> Gaobot brought the > >> >network to its knees very effectively, and Lanwench is > >> right, there are > >> >simply too many possible viruses to enumerate. > >> > > >> >-- > >> >HTH, > >> >=d= > >> > > >> > > >> >Dana Brash > >> >MCSE, MCDBA, MCSA > >> > > >> >dbrash@NOSPAM.gmail.com > >> > > >> >"Paul fpvt2" <anonymous@discussions.microsoft.com> > wrote > >> in message > >> >news:9fd001c4d4be$c03b8f20$a601280a@phx.gbl... > >> >> Thank you for the reply. I am not the network > >> >> administrator, but I was asked to find more about > SQL > >> >> slammer. > >> >> > >> >> >Are your servers all patched with the latest > updates? > >> >> Yes, we installed the latest patches about 2 weeks > ago. > >> >> > >> >> >What client OS versions, are they patched, and are > >> they > >> >> *all* running centrally managed antivirus software, > >> >> current generation, and updated regularly? > >> >> Client's OS are WinXP (most with SP2). I am not > sure if > >> >> they all run centrally managed antivirus software. > >> >> Servers' OS are Win2000. > >> >> > >> >> My boss is convinced that we have SQL Slammer, but > we > >> >> told him that we have installed SQL Server 2000 SP3 > on > >> >> those machines that have a lot of traffic. I am > >> wondering > >> >> if there is any other virus that can cause heavy > >> traffic > >> >> to the server besides SQL Slammer, so that I can > >> suggest > >> >> to them to look at other viruses, not only SQL > Slammer. > >> >> > >> >> Also, if we have 3 servers, 2 of them have SQL > Server > >> >> 2000 SP3 installed, and 1 does not have it, is it > >> >> possible the SQL Slammer comes from this 1 server > and > >> >> cause the heavy traffic on the other 2 servers ? > >> >> > >> >> Thank you. > >> >> > >> >> >-----Original Message----- > >> >> >Paul fpvt2 wrote: > >> >> >> Recently some of our servers received many > traffic > >> that > >> >> >> it caused the servers to go down. We have > installed > >> SP3 > >> >> >> for SQL Server 2000, so I don't think it is > related > >> >> with > >> >> >> the W32/SQLSlammer.worm. We also installed > Symantec > >> >> >> antivirus software in all our servers. Is there > any > >> >> other > >> >> >> viruses that would case a lot of traffic to your > >> >> machine ? > >> >> >> > >> >> >> Thank you. > >> >> > > >> >> >Too many to enumerate - > >> >> >Are your servers all patched with the latest > updates? > >> >> >What's open from the Internet? > >> >> >What client OS versions, are they patched, and are > >> they > >> >> *all* running > >> >> >centrally managed antivirus software, current > >> >> generation, and updated > >> >> >regularly? > >> >> > > >> >> > > >> >> >. > >> >> > > >> > > >> > > >> >. > >> > > > > > > >. > >
- Next message: Steve Hathaway: "Reset "registered file type" on windows 2000 terminal server"
- Previous message: Kevin Longley: "Re: Master Printer"
- In reply to: Paul fpvt2: "Re: Virus that causes a lot of traffic ?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
