?
Solved

Need Help deciphering Small Business Server 2003 with memory leak poolmon results

Posted on 2012-08-31
17
Medium Priority
?
668 Views
Last Modified: 2013-02-22
About every 4 hours the server hangs and the system event logs an error stating the following: "The Server was unable to allocate from the system nonpaged pool because the pool was empty".  I used the poolmon tool and determined there is a tag, NatM, which continues to consume nonpaged bytes untill the system hangs.

I cannot determine what the tag is linked too.

has anyone encountered this problem?

currently i am seaching the hard drive for files that contain that tag.
0
Comment
Question by:rrincones
  • 7
  • 4
  • 3
  • +1
17 Comments
 
LVL 17

Expert Comment

by:WORKS2011
ID: 38359443
Do you use terminal services, in addition to the system memory pools, there is a paged pool for each Terminal Services session on the system. When a system is configured as a Terminal Server, (formerly known as Terminal Services in Application Server mode), the kernel-mode portion of the Win32 subsystem allocates memory from the session pool for data structures used in the session. Poolmon also displays those allocations from the Terminal Services session pools, individually and collectively, sorted by tag value.
0
 
LVL 17

Expert Comment

by:WORKS2011
ID: 38359449
I know poolmon.exe works with programs that don't let go of memory after using it however when I end up with errors like this I often run a test against the memory as well, have you done this? If it's a poweredge server Dell Open Manage may indicate a problem with system memory, could check here.
0
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 1002 total points
ID: 38359564
As I've stated here:  http:Q_23933585.html

Start by reviewing the items here:
http://eventid.net/display.asp?eventid=2019&eventno=661&source=Srv&phase=1

Jeff
TechSoEasy
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 38359571
Additionally, if none of those are helpful, run the SBS Best Practices Analyzer to ensure you have everything set correctly and fully patched:  http://sbsbpa.com

Jeff
TechSoEasy
0
 

Author Comment

by:rrincones
ID: 38407026
turned out the problem was with a trojan virus loaded on the server
0
 
LVL 17

Expert Comment

by:WORKS2011
ID: 38407080
Were you able to get it cleaned successfully. Any info helps the EE knowledgebase which is helpful in the future. Thanks for the update.
0
 

Author Comment

by:rrincones
ID: 38444956
Ok the virus was removed but kept infecting the server.  the virus would use the remote desktop protocal and brute force password hacking to load on to the server.  I disabled RDP and will be changing the default port before enabling it again.  Since disabling RDP we have had no virus or memory leak problems.

Thanks for your help.
0
 

Author Comment

by:rrincones
ID: 38444975
Virus scans detected this file, "C:\WINDOWS\Offline Web Pages\cache.txt",  as a Trojan Agent.  Researching the filename led me to a page that described how the trojan would infect the server.  By using RDP and Brute Force Password hacking tools.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38445108
So you can disable RDP on the machine.

- Rancy
0
 

Author Comment

by:rrincones
ID: 38445594
yes
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 1002 total points
ID: 38449951
I've seen this one before and was able to successfully remove it using the Microsoft Safety Scanner.

Info on virus: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Worm%3AWin32%2FMorto.A

Safety Scanner:  http://www.microsoft.com/security/scanner/en-us/default.aspx

It can be a tough one because it will also propagate throughout your network, so be sure to run the Safety Scanner on all machines in your LAN.

Also be sure to enforce strong passwords on ALL accounts.  Make sure there aren't any accounts which are set for "password never expires".

Jeff
TechSoEasy
0
 

Author Comment

by:rrincones
ID: 38495708
As I was running poolmon, I loaded process explorer and could see winlogon.exe running and terminating over and over.  Once it stopped, i assume after the password was hacked, the tag NatM would slowly move to the top of the list, because it was sorted by non paged memory bytes, and the bytes of memory would increase untill the server becomes unresponsive.  I would restart the server, scan for viruses, and the cache.txt file would be detected as a trojan.  

Then the process would start all over again.  Disabling Remote Desktop or changing the default port keeps the trojan from hacking in.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38495954
What is the AV you are using .... is it updated ?
If the Virus was removed how is it still affecting the server everytime .

- Rancy
0
 

Author Comment

by:rrincones
ID: 38737898
it was using a password hacking program and would eventually crack the password and load the virus that would use up the memory pool.  changing the port used for remote desktop prevented access.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38739963
Good to know ..... so is there no AV or its not Scanning or Updated ?

- Rancy
0
 

Author Comment

by:rrincones
ID: 38763355
The AV would detect it and remove it, but after some time the server would get hacked again.  From what I read, it was flagged for using standard port for RDP and would continue to target it.
0
 
LVL 52

Assisted Solution

by:Manpreet SIngh Khatra
Manpreet SIngh Khatra earned 498 total points
ID: 38763449
Just check if this would help

How to change the listening port for Remote Desktop
http://support.microsoft.com/kb/306759

http://tweaks.com/windows/50743/change-remote-desktop-rdp-port/

- Rancy
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question