Solved

Even id 5157

Posted on 2010-09-03
5
1,042 Views
Last Modified: 2012-06-21
Hello,

I receive a lot of securuty auditing alerts on my win 2008. Every sec 3 alerts, It looks like yyy.yyy.yyy.yyy scanning access to my sql server on xxx.xxx.xxx.xxx machine port 1433.
Every time from diferent port

Should I start worry ?/ have you seen this before/ is that normal situation ?


 
The Windows Filtering Platform has blocked a connection.

Application Information:
	Process ID:		8696
	Application Name:	\device\harddiskvolume1\windows\system32\inetsrv\w3wp.exe

Network Information:
	Direction:		Outbound
	Source Address:		yyy.yyy.yyy.yyy
	Source Port:		54635
	Destination Address:	xxx.xxx.xxx.xxx
	Destination Port:		1433
	Protocol:		6

Filter Information:
	Filter Run-Time ID:	0
	Layer Name:		Connect
	Layer Run-Time ID:	48

Open in new window

0
Comment
Question by:siemian
  • 3
  • 2
5 Comments
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 33597161
Sounds to me like machine (lotsa-ys) is attempting to connect to your SQL machine, and it's being blocked...  so the software is configured to keep trying.

If the workstation (lotsa-ys) is suppose to be using a database on sql server (lotsa-xs), yes -- be concerned, 'cause it's failing, and seems to need help.

If workstation (lotsa-ys) isn't suppose to have access to a database on sql server (lotsa-xs), yes -- be concerned... 'cause the user has a program that is either misconfigured or has a program they shouldn't have at all.

But yes, it's a normal thing that occurs when something isn't working.
0
 

Author Comment

by:siemian
ID: 33597270
what if...my (lotsa-ys) is the Public Ethernet adaptor of the machine that is hosted by Rackspace ( http://www.rackspace.co.uk/rackspace-home ) ??
0
 

Author Comment

by:siemian
ID: 33597358

I recieved error messages on serverA that should be contacting with Server B ( sql server )
yyy.yyy.yyy.yyy is ethernet public adapter IP address ( 192.168.yyy.yyy ) , Both Server A and Server B are hosted by Rackspace.
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 250 total points
ID: 33597647
So, wait... are both Server A and Server B yours?
If Server A is not yours, and Server B (sql server) is yours, I'd contact Rackspace and ask them to make the owner of Server A stop.

Unclear on "yyy.yyy.yyy.yyy is ethernet public adapter IP address ( 192.168.yyy.yyy )" -- to me, 192.168.y.y would be a private address...
0
 

Author Closing Comment

by:siemian
ID: 33716176
Rackspace issue
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
active directory 6 81
Create users share on file server 2 42
Mailchimp - Security and where is the data stored? 2 51
Opinions of Sophos Intercept X and Endpoint Security 2 24
How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question