Re: Is my server or network compromised?

Giganews Newsgroups
Subject: Re: Is my server or network compromised?
Posted by:  David H. Lipman (DLipman~nospam~@Verizon.Net)
Date: Thu, 5 Feb 2009

From: "bestbapu" <bestba…@hotmail.com>

| Some background on the Windows 2000 server in question:

| I have a DNS server behind a firewall. Ports access thru the firewall are
| 80, 53 & 21.

| On this DNS server I am running MySQL 5.x Apache 2.x and PHP 5.0.x.

| I have 6 virtual web servers setup in Apache all on port 80.

| The problem with the server is that the network icon in the systray is
| almost constantly on (both in and out). And if I try and access any of the 6
| websites on this system, most of the they timeout.

| This problem is only just now occuring (well, in the last month or so) even
| though the sever has been up and running for well over three years without a
| problem.

| Event viewer has some occasional entries that are concerning.

| NtFrs Event ID: 13562 (errors polling the Domain Controller). These happen
| about every 6-8 hours.

| DNS Event ID: 5504 (invalid domain name in packet from 198.41.0.4. NOTE:
| this is not IP addressing scheme for my LAN). From 10:05 to 2:45 PM today 46
| such entries happened.

| Userenv Event ID: 1000 (Windoes cannot determine the user or computer name.
| Return value 1722). From 9:35AM to 2:42 PM today 4 entries ocured (approx 1.5
| to 2 hours apart).

| I do not see any suspisous services nor does the
| Task Manager have any oddities (cpu = ~4%) no excessive CPU time on processes.

| Also, the server is viewed as part of the domain from other computers in the
| domain and it can get out to the internet (albeit slowly).

| I can ping the websites and they do respond. But when trying to access
| them from a browser, they time out with a "Service not available".

| Apache is up and running.

| Every so often, maybe 1 out of 25 tries, I can get to the main page of any
| one of these website, but if I navigate to another page, the site times out.
| Once I hit one website, I'll tryanother and that next website almost always
| times out (99.999% of the time).

| I am not a "super or power" adminsitrator. I run a simple network (DC,
| DC/Exchange, DNS/webserver and about 6 workstations). Any help you can
| provide is truly appreciated

I don't know what's going on but the IP address for DNS belongs to Verisign.

OrgName:    VeriSign Infrastructure & Operations
OrgID:      VIO-2
Address:    21345 Ridgetop Circle
City:      Dulles
StateProv:  VA
PostalCode: 20166
Country:    US

NetRange:  198.41.0.0 - 198.41.3.255
CIDR:      198.41.0.0/22
NetName:    INTERNIC1
NetHandle:  NET-198-41-0-0-1
Parent:    NET-198-0-0-0-0
NetType:    Direct Assignment
NameServer: NS1.CRSNIC.NET
NameServer: NS2.NSIREGISTRY.NET
NameServer: NS3.VERISIGN-GRS.NET
NameServer: NS4.VERISIGN-GRS.NET

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp

Replies

None

In response to

Is my server or network compromised? posted by bestbapu on Thu, 5 Feb 2009