| Author |
Message |
SammyBar
Guest
|
 Posted:
Fri Oct 14, 2005 8:51 pm Post subject:
W2K netstat detects port 1433 is listenning but fport does N |
|
|
Hi all,
I have a problem with my Sql Server 2000 server. A malware captured the 1433
port when we restarted the SQL Server service. Now we have some users (that
uses TCP/IP to connect to the server instead named pipes) that can not
access to the server. The server is mission critical, can not be reset until
midnight to eliminate the virus. We want to kill the malware process but we
can not get the process id of the malware. We tryed with fport last version
downloaded from Foundstone but it does't lists the 1433 port as being in
use. But netstat -an clearly shows the 1433 port is listening. The Sql
Server Log says it could not be binded to 1433. So is it possible fport
fails to detect a process? Which other way can I use to detect the process
id of the malware apart of fport?
Thanks in advance
Sammy |
|
| Back to top |
|
 |
David H. Lipman
Guest
|
| Posted:
Sat Oct 15, 2005 12:50 am Post subject:
Re: W2K netstat detects port 1433 is listenning but fport do |
|
|
From: "SammyBar" <sammybar@gmail.com>
| Hi all,
|
| I have a problem with my Sql Server 2000 server. A malware captured the 1433
| port when we restarted the SQL Server service. Now we have some users (that
| uses TCP/IP to connect to the server instead named pipes) that can not
| access to the server. The server is mission critical, can not be reset until
| midnight to eliminate the virus. We want to kill the malware process but we
| can not get the process id of the malware. We tryed with fport last version
| downloaded from Foundstone but it does't lists the 1433 port as being in
| use. But netstat -an clearly shows the 1433 port is listening. The Sql
| Server Log says it could not be binded to 1433. So is it possible fport
| fails to detect a process? Which other way can I use to detect the process
| id of the malware apart of fport?
|
| Thanks in advance
| Sammy
|
Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend, Kasperski and McAfee Anti Virus Command Line
Scanners to
remove viruses, Trojans and various other malware.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site. The choices are;
Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm |
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Sat Oct 15, 2005 12:50 am Post subject:
Re: W2K netstat detects port 1433 is listenning but fport do |
|
|
Try Process Explorer from SysInternals. In the properties of each process is
a page for tcp/ip info that will show if any port is used. TCPView may also
be helpful but Process Explorer is the king of process identification. You
also have the option to kill the process or process tree though that does
not work all the time. Also check your services as sometimes malware will
install as a service that you could try to stop/disable. --- Steve
http://www.sysinternals.com/Utilities/ProcessExplorer.html
http://www.sysinternals.com/Utilities/TcpView.html
"SammyBar" <sammybar@gmail.com> wrote in message
news:OMhW5uO0FHA.464@TK2MSFTNGP15.phx.gbl...
| Quote: | Hi all,
I have a problem with my Sql Server 2000 server. A malware captured the
1433 port when we restarted the SQL Server service. Now we have some users
(that uses TCP/IP to connect to the server instead named pipes) that can
not access to the server. The server is mission critical, can not be reset
until midnight to eliminate the virus. We want to kill the malware process
but we can not get the process id of the malware. We tryed with fport last
version downloaded from Foundstone but it does't lists the 1433 port as
being in use. But netstat -an clearly shows the 1433 port is listening.
The Sql Server Log says it could not be binded to 1433. So is it possible
fport fails to detect a process? Which other way can I use to detect the
process id of the malware apart of fport?
Thanks in advance
Sammy
|
|
|
| Back to top |
|
|
SammyBar
Guest
|
| Posted:
Sat Oct 15, 2005 12:50 am Post subject:
Re: W2K netstat detects port 1433 is listenning but fport do |
|
|
I was able to find the process that is listening on 1433 port: It is the
System process! I can not shutdown it.
Anyway thanks for the help
Sammy |
|
| Back to top |
|
|
Peter Foldes
Guest
|
| Posted:
Sat Oct 15, 2005 8:50 am Post subject:
Re: W2K netstat detects port 1433 is listenning but fport do |
|
|
Did you install the MS05-051 Security Update over your network. There is many more issues cropping up aside from what is listed.
http://support.microsoft.com/?kbid=909444
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
"SammyBar" <sammybar@gmail.com> wrote in message news:e9eJi1R0FHA.3924@TK2MSFTNGP14.phx.gbl...
| Quote: | I was able to find the process that is listening on 1433 port: It is the
System process! I can not shutdown it.
Anyway thanks for the help
Sammy
|
|
|
| Back to top |
|
|
Roger Abell [MVP]
Guest
|
| Posted:
Sat Oct 15, 2005 8:50 am Post subject:
Re: W2K netstat detects port 1433 is listenning but fport do |
|
|
I am hearing you make the assumption that it is a light-weight malware,
which may/may not be so. That it shows as running in a System context
only means it is using that account and/or has attached into some process
tree started by System.
Feel good that it is showing at all as that tends to say it is not rootkit
you
are up against (yet).
You might want to try PortRptr to see if the logs help you narrow things
down
http://search.microsoft.com/search/results.aspx?st=b&na=88&View=en-us&qu=PortRptr
--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
"SammyBar" <sammybar@gmail.com> wrote in message
news:e9eJi1R0FHA.3924@TK2MSFTNGP14.phx.gbl...
| Quote: | I was able to find the process that is listening on 1433 port: It is the
System process! I can not shutdown it.
Anyway thanks for the help
Sammy
|
|
|
| Back to top |
|
|
Roger Abell [MVP]
Guest
|
| Posted:
Sat Oct 15, 2005 8:50 am Post subject:
Re: W2K netstat detects port 1433 is listenning but fport do |
|
|
But - are you saying issues with 051 specific to SQL Server ?
I have systems with SQL 2K without issues after 051.
--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Peter Foldes" <okf22@hotmail.com> wrote in message
news:eyNmREU0FHA.3300@TK2MSFTNGP15.phx.gbl...
Did you install the MS05-051 Security Update over your network. There is
many more issues cropping up aside from what is listed.
http://support.microsoft.com/?kbid=909444
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
"SammyBar" <sammybar@gmail.com> wrote in message
news:e9eJi1R0FHA.3924@TK2MSFTNGP14.phx.gbl...
| Quote: | I was able to find the process that is listening on 1433 port: It is the
System process! I can not shutdown it.
Anyway thanks for the help
Sammy
|
|
|
| Back to top |
|
|
cquirke (MVP Windows shel
Guest
|
| Posted:
Sun Oct 16, 2005 12:50 am Post subject:
Re: W2K netstat detects port 1433 is listenning but fport do |
|
|
On Fri, 14 Oct 2005 17:59:28 -0500, "Steven L Umbach"
| Quote: | Try Process Explorer from SysInternals.
|
You can also try free tools from www.nirsoft.net - they have several,
including Current Process (process killer) and one for ports:
http://www.nirsoft.net/utils/cports.html
The latter lets you see what process is attached to what port, and you
can close ports and kill tasks.
Another useful set of free tools are Faber Toys.
| Quote: | --------------- ----- ---- --- -- - - -
Error Messages Are Your Friends
--------------- ----- ---- --- -- - - - |
|
|
| Back to top |
|
|
Peter Foldes
Guest
|
| Posted:
Sun Oct 16, 2005 8:01 am Post subject:
Re: W2K netstat detects port 1433 is listenning but fport do |
|
|
Roger
I did say that this Security Update made some issues to some posters aside from the ones listed in the KB. I have seen 1 posting concerning SQL where the OP said that SQL was freezing on him. He was getting the Event ID 778.
When he applied the workaround as described in the KB he solved his issue.
Not everyone is getting the issues as described in the KB but some are and some are getting ones that are not documented in there.
I was just trying to point to the issue as another possible fix.
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message news:uh3p59U0FHA.2960@tk2msftngp13.phx.gbl...
| Quote: | But - are you saying issues with 051 specific to SQL Server ?
I have systems with SQL 2K without issues after 051.
--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Peter Foldes" <okf22@hotmail.com> wrote in message
news:eyNmREU0FHA.3300@TK2MSFTNGP15.phx.gbl...
Did you install the MS05-051 Security Update over your network. There is
many more issues cropping up aside from what is listed.
http://support.microsoft.com/?kbid=909444
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
"SammyBar" <sammybar@gmail.com> wrote in message
news:e9eJi1R0FHA.3924@TK2MSFTNGP14.phx.gbl...
I was able to find the process that is listening on 1433 port: It is the
System process! I can not shutdown it.
Anyway thanks for the help
Sammy
|
|
|
| Back to top |
|
|
Roger Abell [MVP]
Guest
|
| Posted:
Sun Oct 16, 2005 8:50 am Post subject:
Re: W2K netstat detects port 1433 is listenning but fport do |
|
|
Interesting Peter. Thank you for replying with the info.
Please understand, I was not meaning to seem critical,
I was honestly wondering if there had been observed
effect on SQL installs.
Thx,
Roger
"Peter Foldes" <okf22@hotmail.com> wrote in message
news:%23w6wS3f0FHA.3812@TK2MSFTNGP09.phx.gbl...
Roger
I did say that this Security Update made some issues to some posters aside
from the ones listed in the KB. I have seen 1 posting concerning SQL where
the OP said that SQL was freezing on him. He was getting the Event ID 778.
When he applied the workaround as described in the KB he solved his issue.
Not everyone is getting the issues as described in the KB but some are and
some are getting ones that are not documented in there.
I was just trying to point to the issue as another possible fix.
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:uh3p59U0FHA.2960@tk2msftngp13.phx.gbl...
| Quote: | But - are you saying issues with 051 specific to SQL Server ?
I have systems with SQL 2K without issues after 051.
--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Peter Foldes" <okf22@hotmail.com> wrote in message
news:eyNmREU0FHA.3300@TK2MSFTNGP15.phx.gbl...
Did you install the MS05-051 Security Update over your network. There is
many more issues cropping up aside from what is listed.
http://support.microsoft.com/?kbid=909444
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
"SammyBar" <sammybar@gmail.com> wrote in message
news:e9eJi1R0FHA.3924@TK2MSFTNGP14.phx.gbl...
I was able to find the process that is listening on 1433 port: It is the
System process! I can not shutdown it.
Anyway thanks for the help
Sammy
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in