anilmane
asked on
Too many TIME_WAIT connections.
Hello Experts,
I am looking after win 2000 server with MS SQl 2000 DB. Recently all of a sudden bandwidth utilization of server skyrocketed. Upon running TCPview i got below given result,
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s ip64-48-99-178.z99-48-64.c
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s ip64-48-99-178.z99-48-64.c
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s ip64-48-99-178.z99-48-64.c
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s ip64-48-99-178.z99-48-64.c
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s ip64-48-99-178.z99-48-64.c
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s ip64-48-99-178.z99-48-64.c
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s ip64-48-99-178.z99-48-64.c
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s ip64-48-99-178.z99-48-64.c
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s ip64-48-99-178.z99-48-64.c
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s 162.69-93-76.reverse.thepl
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s 162.69-93-76.reverse.thepl
sqlservr.exe:772 TCP x.x.x.x.center7.com:ms-sql
This is just few lines of the result.there are hundreds of entries like these. I know that getting TIME_WAIT is quite normal and usaually these connections get dropped after some time but I have been getting these results for more than a week now.At first i thought this was slammer worm, but i have service pack 3 of sql installed ,so i belive it makes me immune to this worm.Just to be sure i checked with symantec slammer fix tool but did not find anything.Can somebody help me with this.
Thanks in Advance
I am looking after win 2000 server with MS SQl 2000 DB. Recently all of a sudden bandwidth utilization of server skyrocketed. Upon running TCPview i got below given result,
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s ip64-48-99-178.z99-48-64.c
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s ip64-48-99-178.z99-48-64.c
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s ip64-48-99-178.z99-48-64.c
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s ip64-48-99-178.z99-48-64.c
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s ip64-48-99-178.z99-48-64.c
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s ip64-48-99-178.z99-48-64.c
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s ip64-48-99-178.z99-48-64.c
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s ip64-48-99-178.z99-48-64.c
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s ip64-48-99-178.z99-48-64.c
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s 162.69-93-76.reverse.thepl
sqlservr.exe:772 TCP x.x.x.x.com:ms-sql-s 162.69-93-76.reverse.thepl
sqlservr.exe:772 TCP x.x.x.x.center7.com:ms-sql
This is just few lines of the result.there are hundreds of entries like these. I know that getting TIME_WAIT is quite normal and usaually these connections get dropped after some time but I have been getting these results for more than a week now.At first i thought this was slammer worm, but i have service pack 3 of sql installed ,so i belive it makes me immune to this worm.Just to be sure i checked with symantec slammer fix tool but did not find anything.Can somebody help me with this.
Thanks in Advance
jdlambert1
I suspect you have some virus/worm/trojan other than Slammer. All those port numbers from algx.net definitely looks like port scanning, and it doesn't appear to be a conventional web site. theplanet.com is a web hosting site, and the traffic from reverse.theplanet.com may mean that their server has gotten a lot of traffic from your server, and they're trying to do a reverse lookup on your IP address.
Well, my idea that reverse.theplanet.com is doing reverse lookups is a dumb idea, I was thinking of firewall logs that look like that, not SQL Server connections.
If this database is behind a web server, it may be the target of one or more attacks (or efforts to probe for weaknesses), rather than having a virus/worm/trojan on your server.
If this database is behind a web server, it may be the target of one or more attacks (or efforts to probe for weaknesses), rather than having a virus/worm/trojan on your server.
ASKER
Thanks for the quick reply,
Yes, i think its some kind of worm but i have scanned this server with symantec and some other online scan but to no avail. algx.net and theplanet.com are not only sites for which i am getting this there are also hundreds of connections from jaazsoftware.com which is also not valid site.Is there any way i can stop this.
Yes, i think its some kind of worm but i have scanned this server with symantec and some other online scan but to no avail. algx.net and theplanet.com are not only sites for which i am getting this there are also hundreds of connections from jaazsoftware.com which is also not valid site.Is there any way i can stop this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Why is your server accepting connections from the Internet? You need a firewall - and quick!
If you have a router that you manage, get it to deny all ports except the ones you need to leave open. If it's a webserver, that will usually just be port 80 and possibly 443. There's normally bo need for any of the SQL to be exposed to the Internet.
If you don't have a router that you can manage, at least use some of the filtering in the network connection's TCP/IP properties.
If you have a router that you manage, get it to deny all ports except the ones you need to leave open. If it's a webserver, that will usually just be port 80 and possibly 443. There's normally bo need for any of the SQL to be exposed to the Internet.
If you don't have a router that you can manage, at least use some of the filtering in the network connection's TCP/IP properties.