Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Even id 5157

Posted on 2010-09-03
5
Medium Priority
?
1,050 Views
Last Modified: 2012-06-21
Hello,

I receive a lot of securuty auditing alerts on my win 2008. Every sec 3 alerts, It looks like yyy.yyy.yyy.yyy scanning access to my sql server on xxx.xxx.xxx.xxx machine port 1433.
Every time from diferent port

Should I start worry ?/ have you seen this before/ is that normal situation ?


 
The Windows Filtering Platform has blocked a connection.

Application Information:
	Process ID:		8696
	Application Name:	\device\harddiskvolume1\windows\system32\inetsrv\w3wp.exe

Network Information:
	Direction:		Outbound
	Source Address:		yyy.yyy.yyy.yyy
	Source Port:		54635
	Destination Address:	xxx.xxx.xxx.xxx
	Destination Port:		1433
	Protocol:		6

Filter Information:
	Filter Run-Time ID:	0
	Layer Name:		Connect
	Layer Run-Time ID:	48

Open in new window

0
Comment
Question by:siemian
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 33597161
Sounds to me like machine (lotsa-ys) is attempting to connect to your SQL machine, and it's being blocked...  so the software is configured to keep trying.

If the workstation (lotsa-ys) is suppose to be using a database on sql server (lotsa-xs), yes -- be concerned, 'cause it's failing, and seems to need help.

If workstation (lotsa-ys) isn't suppose to have access to a database on sql server (lotsa-xs), yes -- be concerned... 'cause the user has a program that is either misconfigured or has a program they shouldn't have at all.

But yes, it's a normal thing that occurs when something isn't working.
0
 

Author Comment

by:siemian
ID: 33597270
what if...my (lotsa-ys) is the Public Ethernet adaptor of the machine that is hosted by Rackspace ( http://www.rackspace.co.uk/rackspace-home ) ??
0
 

Author Comment

by:siemian
ID: 33597358

I recieved error messages on serverA that should be contacting with Server B ( sql server )
yyy.yyy.yyy.yyy is ethernet public adapter IP address ( 192.168.yyy.yyy ) , Both Server A and Server B are hosted by Rackspace.
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 1000 total points
ID: 33597647
So, wait... are both Server A and Server B yours?
If Server A is not yours, and Server B (sql server) is yours, I'd contact Rackspace and ask them to make the owner of Server A stop.

Unclear on "yyy.yyy.yyy.yyy is ethernet public adapter IP address ( 192.168.yyy.yyy )" -- to me, 192.168.y.y would be a private address...
0
 

Author Closing Comment

by:siemian
ID: 33716176
Rackspace issue
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
How does someone stay on the right and legal side of the hacking world?
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question