Solved

Even id 5157

Posted on 2010-09-03
5
1,039 Views
Last Modified: 2012-06-21
Hello,

I receive a lot of securuty auditing alerts on my win 2008. Every sec 3 alerts, It looks like yyy.yyy.yyy.yyy scanning access to my sql server on xxx.xxx.xxx.xxx machine port 1433.
Every time from diferent port

Should I start worry ?/ have you seen this before/ is that normal situation ?


 
The Windows Filtering Platform has blocked a connection.

Application Information:
	Process ID:		8696
	Application Name:	\device\harddiskvolume1\windows\system32\inetsrv\w3wp.exe

Network Information:
	Direction:		Outbound
	Source Address:		yyy.yyy.yyy.yyy
	Source Port:		54635
	Destination Address:	xxx.xxx.xxx.xxx
	Destination Port:		1433
	Protocol:		6

Filter Information:
	Filter Run-Time ID:	0
	Layer Name:		Connect
	Layer Run-Time ID:	48

Open in new window

0
Comment
Question by:siemian
  • 3
  • 2
5 Comments
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33597161
Sounds to me like machine (lotsa-ys) is attempting to connect to your SQL machine, and it's being blocked...  so the software is configured to keep trying.

If the workstation (lotsa-ys) is suppose to be using a database on sql server (lotsa-xs), yes -- be concerned, 'cause it's failing, and seems to need help.

If workstation (lotsa-ys) isn't suppose to have access to a database on sql server (lotsa-xs), yes -- be concerned... 'cause the user has a program that is either misconfigured or has a program they shouldn't have at all.

But yes, it's a normal thing that occurs when something isn't working.
0
 

Author Comment

by:siemian
ID: 33597270
what if...my (lotsa-ys) is the Public Ethernet adaptor of the machine that is hosted by Rackspace ( http://www.rackspace.co.uk/rackspace-home ) ??
0
 

Author Comment

by:siemian
ID: 33597358

I recieved error messages on serverA that should be contacting with Server B ( sql server )
yyy.yyy.yyy.yyy is ethernet public adapter IP address ( 192.168.yyy.yyy ) , Both Server A and Server B are hosted by Rackspace.
0
 
LVL 29

Accepted Solution

by:
Rich Weissler earned 250 total points
ID: 33597647
So, wait... are both Server A and Server B yours?
If Server A is not yours, and Server B (sql server) is yours, I'd contact Rackspace and ask them to make the owner of Server A stop.

Unclear on "yyy.yyy.yyy.yyy is ethernet public adapter IP address ( 192.168.yyy.yyy )" -- to me, 192.168.y.y would be a private address...
0
 

Author Closing Comment

by:siemian
ID: 33716176
Rackspace issue
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Every computer eventually fails. When that happens, your valuable data is only as safe as your current backup.
A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint a…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now