|Subject:||Re: Is my server or network compromised?|
|Posted by:||David H. Lipman (DLipman~nospam~@Verizon.Net)|
|Date:||Thu, 5 Feb 2009|
From: "bestbapu" <bestba…@hotmail.com>
| Some background on the Windows 2000 server in question:
| I have a DNS server behind a firewall. Ports access thru the firewall are
| 80, 53 & 21.
| On this DNS server I am running MySQL 5.x Apache 2.x and PHP 5.0.x.
| I have 6 virtual web servers setup in Apache all on port 80.
| The problem with the server is that the network icon in the systray is
| almost constantly on (both in and out). And if I try and access any of the 6
| websites on this system, most of the they timeout.
| This problem is only just now occuring (well, in the last month or so) even
| though the sever has been up and running for well over three years without a
| Event viewer has some occasional entries that are concerning.
| NtFrs Event ID: 13562 (errors polling the Domain Controller). These happen
| about every 6-8 hours.
| DNS Event ID: 5504 (invalid domain name in packet from 220.127.116.11. NOTE:
| this is not IP addressing scheme for my LAN). From 10:05 to 2:45 PM today 46
| such entries happened.
| Userenv Event ID: 1000 (Windoes cannot determine the user or computer name.
| Return value 1722). From 9:35AM to 2:42 PM today 4 entries ocured (approx 1.5
| to 2 hours apart).
| I do not see any suspisous services nor does the
| Task Manager have any oddities (cpu = ~4%) no excessive CPU time on processes.
| Also, the server is viewed as part of the domain from other computers in the
| domain and it can get out to the internet (albeit slowly).
| I can ping the websites and they do respond. But when trying to access
| them from a browser, they time out with a "Service not available".
| Apache is up and running.
| Every so often, maybe 1 out of 25 tries, I can get to the main page of any
| one of these website, but if I navigate to another page, the site times out.
| Once I hit one website, I'll tryanother and that next website almost always
| times out (99.999% of the time).
| I am not a "super or power" adminsitrator. I run a simple network (DC,
| DC/Exchange, DNS/webserver and about 6 workstations). Any help you can
| provide is truly appreciated
I don't know what's going on but the IP address for DNS belongs to Verisign.
OrgName: VeriSign Infrastructure & Operations
Address: 21345 Ridgetop Circle
NetRange: 18.104.22.168 - 22.214.171.124
NetType: Direct Assignment
Is my server or network compromised? posted by bestbapu on Thu, 5 Feb 2009