Solved

Even id 5157

Posted on 2010-09-03
5
1,037 Views
Last Modified: 2012-06-21
Hello,

I receive a lot of securuty auditing alerts on my win 2008. Every sec 3 alerts, It looks like yyy.yyy.yyy.yyy scanning access to my sql server on xxx.xxx.xxx.xxx machine port 1433.
Every time from diferent port

Should I start worry ?/ have you seen this before/ is that normal situation ?


 
The Windows Filtering Platform has blocked a connection.

Application Information:
	Process ID:		8696
	Application Name:	\device\harddiskvolume1\windows\system32\inetsrv\w3wp.exe

Network Information:
	Direction:		Outbound
	Source Address:		yyy.yyy.yyy.yyy
	Source Port:		54635
	Destination Address:	xxx.xxx.xxx.xxx
	Destination Port:		1433
	Protocol:		6

Filter Information:
	Filter Run-Time ID:	0
	Layer Name:		Connect
	Layer Run-Time ID:	48

Open in new window

0
Comment
Question by:siemian
  • 3
  • 2
5 Comments
 
LVL 29

Expert Comment

by:Rich Weissler
Comment Utility
Sounds to me like machine (lotsa-ys) is attempting to connect to your SQL machine, and it's being blocked...  so the software is configured to keep trying.

If the workstation (lotsa-ys) is suppose to be using a database on sql server (lotsa-xs), yes -- be concerned, 'cause it's failing, and seems to need help.

If workstation (lotsa-ys) isn't suppose to have access to a database on sql server (lotsa-xs), yes -- be concerned... 'cause the user has a program that is either misconfigured or has a program they shouldn't have at all.

But yes, it's a normal thing that occurs when something isn't working.
0
 

Author Comment

by:siemian
Comment Utility
what if...my (lotsa-ys) is the Public Ethernet adaptor of the machine that is hosted by Rackspace ( http://www.rackspace.co.uk/rackspace-home ) ??
0
 

Author Comment

by:siemian
Comment Utility

I recieved error messages on serverA that should be contacting with Server B ( sql server )
yyy.yyy.yyy.yyy is ethernet public adapter IP address ( 192.168.yyy.yyy ) , Both Server A and Server B are hosted by Rackspace.
0
 
LVL 29

Accepted Solution

by:
Rich Weissler earned 250 total points
Comment Utility
So, wait... are both Server A and Server B yours?
If Server A is not yours, and Server B (sql server) is yours, I'd contact Rackspace and ask them to make the owner of Server A stop.

Unclear on "yyy.yyy.yyy.yyy is ethernet public adapter IP address ( 192.168.yyy.yyy )" -- to me, 192.168.y.y would be a private address...
0
 

Author Closing Comment

by:siemian
Comment Utility
Rackspace issue
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Suggested Solutions

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now