• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1954
  • Last Modified:

Syn sent issue

One of my Windows 2003 server was found busy sending network traffic. When I type "netstat -na" in the command prompt, I get the following reply as stated:

         TCP    192.168.1.13:5571       205.2.184.34:445       SYN_SENT
  TCP    192.168.1.13:5572       211.77.0.3:445         SYN_SENT
  TCP    192.168.1.13:5573       211.104.181.42:445     SYN_SENT
  TCP    192.168.1.13:5574       205.55.17.38:445       SYN_SENT
  TCP    192.168.1.13:5575       211.57.199.74:445      SYN_SENT
  TCP    192.168.1.13:5576       205.58.147.105:445     SYN_SENT
  TCP    192.168.1.13:5577       210.101.136.86:445     SYN_SENT
  TCP    192.168.1.13:5578       203.101.212.36:445     SYN_SENT
  TCP    192.168.1.13:5579       211.43.76.50:445       SYN_SENT
  TCP    192.168.1.13:5580       205.124.164.55:445     SYN_SENT
  TCP    192.168.1.13:5581       205.57.237.88:445      SYN_SENT
  TCP    192.168.1.13:5582       205.62.115.122:445     SYN_SENT
  TCP    192.168.1.13:5583       210.81.71.50:445       SYN_SENT
  TCP    192.168.1.13:5584       203.111.228.10:445     SYN_SENT
  TCP    192.168.1.13:5585       210.94.143.74:445      SYN_SENT
  TCP    192.168.1.13:5586       205.110.144.75:445     SYN_SENT
  TCP    192.168.1.13:5587       205.84.17.101:445      SYN_SENT
  TCP    192.168.1.13:5588       205.127.72.19:445      SYN_SENT
  TCP    192.168.1.13:5589       205.107.196.13:445     SYN_SENT
  TCP    192.168.1.13:5590       205.36.139.7:445       SYN_SENT
  TCP    192.168.1.13:5591       205.72.157.29:445      SYN_SENT
  TCP    192.168.1.13:5592       205.98.31.110:445      SYN_SENT
  TCP    192.168.1.13:5593       210.94.180.90:445      SYN_SENT
  TCP    192.168.1.13:5594       203.4.28.99:445        SYN_SENT
  TCP    192.168.1.13:5595       211.81.153.62:445      SYN_SENT
  TCP    192.168.1.13:5596       210.100.18.69:445      SYN_SENT
  TCP    192.168.1.13:5597       211.73.67.25:445       SYN_SENT
  TCP    192.168.1.13:5598       210.118.189.48:445     SYN_SENT
  TCP    192.168.1.13:5599       210.40.158.37:445      SYN_SENT
  TCP    192.168.1.13:5600       205.73.248.95:445      SYN_SENT
  TCP    192.168.1.13:5601       210.48.45.60:445       SYN_SENT
  TCP    192.168.1.13:5602       210.29.211.76:445      SYN_SENT

It looks like my server is targeting at port 445. I ran virus scan, spybolt, but so far, nothing found.
Any suggestion is appreciated!
0
Balack
Asked:
Balack
2 Solutions
 
Bill BachPresidentCommented:
TCP port 445 is used for connecting to file shares.  This symptom clearly indicates that your server is attempting to contact numerous other computers to access files on those computers.  Even worse, these are all public addresses, so I would seriously suspect some sort of malware.  

Start visiting the other AV web sites looking for online scanners, like McAfee, Symantrec, Panda, SunbeltSoftware, and more.  There must be SOMETHING out there.  You may also wish to try RootKitRevealer (SysInternals), too.


0
 
Nothing_ChangedCommented:
sorry to jump in, but you may want to try Avast or Kaspersky as well. nice full function free versions, and a paid version too if you like it. BillBach is dead on, you have a virus or trojan of some sort, and fixing it is urgent. no points for me on this please, its BillBach's answer.
0
 
BalackAuthor Commented:
This is the typical symptom of virus infection. There were 2 cases, and I only managed to solve one. I used Sophos antivirus with spybot antispyware, and eventually successfully keep viruses on bay.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now