Link to home
Start Free TrialLog in
Avatar of PlazaProp
PlazaProp

asked on

Multiple micosoft-ds connection. Too many????

We have a lot of microsoft-ds connections between our W3K and W2K box.  (see netstat output below).  The W2K (server.plaza.local) box is our file/print server, Domain controller and Pervasive SQL Server.  Our W3K (pptermserver) box is our Terminal Server for RDP access.  It also performs IIS, SMTP relay, and has a Pervasive engine that polls data from the W2K box for displaying in a web page.

Does this seem normal for our setup?
Active Connections
 
  Proto  Local Address          Foreign Address        State
  TCP    pptermserver:microsoft-ds  pptermserver.plaza.local:1224  ESTABLISHED
  TCP    pptermserver:1224      pptermserver.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:1036      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:1072      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:1155      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:1187      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:1289      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:1321      plazahd.plaza.local:8010  FIN_WAIT_2
  TCP    pptermserver:1342      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:1349      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:1545      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:1592      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:1623      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:1627      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:1648      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:1667      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:1675      plazahd.plaza.local:8010  FIN_WAIT_2
  TCP    pptermserver:1768      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:1887      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:1906      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:1920      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:1923      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:1956      server.plaza.local:netbios-ssn  ESTABLISHED
  TCP    pptermserver:2015      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:2075      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:2113      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:2137      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:2219      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:2330      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:2338      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:2387      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:2407      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:2419      plazahd.plaza.local:8010  FIN_WAIT_2
  TCP    pptermserver:2476      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:2549      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:2627      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:2665      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:sms-xfer  server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:msolap-ptp2  corpws041.plaza.local:8010  FIN_WAIT_2
  TCP    pptermserver:2807      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:2819      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:2840      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:2983      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:2993      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3028      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3050      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3053      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3095      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3129      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3150      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3185      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3199      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3219      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3226      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3302      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3320      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3347      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3361      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:ms-wbt-server  ibc-74-218-63-114.insight-bc.com:61446  ESTABLISHED
  TCP    pptermserver:ms-wbt-server  sonyvgn-sz220.plaza.local:49524  ESTABLISHED
  TCP    pptermserver:ms-wbt-server  corpws041.plaza.local:3681  ESTABLISHED
  TCP    pptermserver:3447      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3452      plazahd.plaza.local:8010  FIN_WAIT_2
  TCP    pptermserver:3483      plazahd.plaza.local:8010  FIN_WAIT_2
  TCP    pptermserver:3518      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3533      plazahd.plaza.local:8010  FIN_WAIT_2
  TCP    pptermserver:3692      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3763      server.plaza.local:netbios-ssn  ESTABLISHED
  TCP    pptermserver:3884      server.plaza.local:microsoft-ds  TIME_WAIT
  TCP    pptermserver:3902      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3909      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3924      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3952      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3960      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3966      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3976      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3977      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:3980      corpws041.plaza.local:8010  FIN_WAIT_2
  TCP    pptermserver:3982      corpws041.plaza.local:8010  FIN_WAIT_2
  TCP    pptermserver:3995      corpws041.plaza.local:8010  FIN_WAIT_2
  TCP    pptermserver:4034      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4061      plazahd.plaza.local:8010  FIN_WAIT_2
  TCP    pptermserver:4093      plazahd.plaza.local:8010  FIN_WAIT_2
  TCP    pptermserver:4123      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4166      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4207      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4248      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4284      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4290      server.plaza.local:3351  ESTABLISHED
  TCP    pptermserver:4309      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4334      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4372      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4381      server.plaza.local:3351  ESTABLISHED
  TCP    pptermserver:4405      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4481      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4484      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4491      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4526      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4546      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4585      server.plaza.local:3351  ESTABLISHED
  TCP    pptermserver:4592      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4594      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4601      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4668      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4695      server.plaza.local:netbios-ssn  ESTABLISHED
  TCP    pptermserver:4696      plazahd.plaza.local:8010  TIME_WAIT
  TCP    pptermserver:4702      server.plaza.local:microsoft-ds  TIME_WAIT
  TCP    pptermserver:4710      server.plaza.local:microsoft-ds  TIME_WAIT
  TCP    pptermserver:4754      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4786      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4841      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4872      server.plaza.local:microsoft-ds  ESTABLISHED
  TCP    pptermserver:4922      server.plaza.local:netbios-ssn  ESTABLISHED
  TCP    pptermserver:4942      plazahd.plaza.local:8010  FIN_WAIT_2
  TCP    pptermserver:4958      plazahd.plaza.local:8010  FIN_WAIT_2
  TCP    pptermserver:4967      plazahd.plaza.local:8010  FIN_WAIT_2
  TCP    pptermserver:4999      server.plaza.local:microsoft-ds  ESTABLISHED

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of tigermatt
tigermatt
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of PlazaProp
PlazaProp

ASKER

Could the traffic be configured by the Confiker worm or a variant of it?  I read that Confiker uses port 445 which is used by Windows for SMB.  That box has the appropriate MS patch applied to it back in 12 / 2008.  
SOLUTION
Avatar of tigermatt
tigermatt
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of PlazaProp
PlazaProp

ASKER

Ok, thanks for the input.  I went to Mcafee site and got their Confiker test program ( http://www.mcafee.com/us/enterprise/confickertest.html ).  The computer tested "no infected"  so I guess this is just normal traffic.  But, I will continue to monitor just in case.
Avatar of tigermatt
tigermatt
Flag of United Kingdom of Great Britain and Northern Ireland image
A 'B' grade? Can you clarify why? I told you this is normal behaviour, and gave you two different routes to follow to verify it is not caused by a malicious worm or bot.