Someone else here might have more knowledge on what that IP address is and why Windows might be contacting it. All I can tell from www.network-tools.com and http://visualroute.visualware.com is that it appears to be from xo.com and may be located in or near Chicago IL, USA. It seems to have no DNS host name. You've probably already checked the firewall logs to look for other traffic to or from that address or subnet. This might not always be safe advice, but sometimes running nmap -O from www.insecure.org and/or a port scanner like SuperScan from www.foundstone.com/knowledge against that IP address might give additional clues. +AFs-It would appear that IP is running SSH and the HTTP service mentions server: swcd/5.0.2206 which I'm not familiar with and couldn't find in Google either.+AF0- I'm guessing this is not malicious, but unless someone else here can confirm what this is, I might still try the things below to be safe. Start with the things listed at this URL: http://securityadmin.info/faq.htm+ACM-hacked Note that if your server had been compromised, theoretically someone could be seeing your keystrokes and start deleting evidence or worse. You could consider unplugging the network cable to be safe. I would consider using a sniffer to look at the contents of those packets. Actually, in this case, temporarily installing www.sygate.com onto the server might be something to try first instead of a sniffer, because besides packet content, you might also be able to see which executable generated the traffic, which a sniffer would not tell you. http://securityadmin.info/faq.htm+ACM-sniffers You could use Vision +AFs-or Fport+AF0- from www.foundstone.com/knowledge or Active Ports from www.webattack.com/get/activeports.shtml or pslist / pstools from www.sysinternals.com to see if there are any suspicious processes on your computer. +AFs-Sygate would also already have told you this information.+AF0- You could also inspect the running processes in Task Manager, look for recently changed files, and consider running an antivirus and anti-trojan scanner. If you need links to free or not-free scanners, see here: http://securityadmin.info/faq.htm+ACM-antivirus http://securityadmin.info/faq.htm+ACM-trojan The free tools Filemon, Regmon and Process Explorer from www.sysinternals.com might be useful in letting you see activity on your server that you might not otherwise be able to see. To confirm that your server hasn't been compromised through an IIS exploit, you might check your IIS logs. You could first look for any lines mentioning .EXE or +ACU- that also have a 200 or 502 status code +AFs-though those events would not always necessarily represent successful attacks+AF0-. http://securityadmin.info/faq.htm+ACM-iislogs2 http://securityadmin.info/faq.htm+ACM-iislogs As you may know, just installing all the latest patches is not the only thing you should do to secure IIS. You'd also want to run through a few hardening checklists, starting with the Baseline security checklists for IIS and Windows at www.microsoft.com/technet/security Those are not comprehensive checklists, so URLs to other hardening checklists can be found at: http://securityadmin.info/faq.htm+ACM-harden HTH - karl -----Original Message----- From: Dan Harpold To: incidents+AEA-seacurityfocus.com Sent: 2/23/2003 10:20 PM Subject: Web server crashed, now is trying to contact an IP by port 80 every morning. My web server crashed the other day. Got a blue screen and on reboot NTLDR was missing. I reinstalled and reformatted the drive. Simple W2K Server with IIS 5 and current service packs. It sits in a DMZ. Now, each morning (only 2 days so far) at 12:00:45 AM, the machine is trying to contact an outside server via HTTP. The external request, which is being blocked by my firewall, is trying to go to 64.0.96.14. It logs about fifteen attempts over the next ten seconds, then doesn't appear until the next morning. ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Tue Feb 25 2003 - 14:37:08 PST