Bizarre windows server behavior

Non-Technical Threads Chatting over the Back Fence
1

Ok so I have a Windows server that is doing some bizarre
stuff. My first thought is some sort of worm/virus but nothing
detects anything. What is happening is let’s say I am on the
server and do an FTP command. If I monitor my firewall it reports
that Service tcp_Ftp is active but operating on source port 1585.
If I try and do an http request from a browser it says Service tcp_http
is active but source port is reported as 1562. It is picking random
ports to perform the operation. Also I see sequential scans for ports
via UDP port 1434, which has been associated with SQL Slammer in the past.
As I said though, no virus scanner detects anything. I would say it is a
corrupt IP stack or something except that the web server that runs on it
functions as normal. WTH?

This is an older W2k SP4 server that is not internet facing.

2

I should also mention that there is a relationship with this web server
and a SQL database so there may be some MS traffic that would show up as SQL
in the firewall, but the odd port choosing is what has me stumped. Normal
http traffic shows up as a tcp high port 50000 or higher. On this box
it grabs ports below 2000.

3

GofBorg wrote:
[color=blue]

Ok so I have a Windows server that is doing some bizarre
stuff.[/color]

Isn’t Windows Server bizarre by default?


Does this washcloth smell like chloroform?

4

GofBorg GofBorg@no-mx.forums.opensuse.org wrote in news:4fMpu.1447
$FD5.515@novprvlin0913.provo.novell.com:
[color=blue]

This is an older W2k SP4 server that is not internet facing.
[/color]

Have you looked into “Process Explorer”. Mark Russonovitch is a “Fellow”
there now, and has really helped clean up their act since he joined. IMHO.

This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com

5

On 10.12.2013 23:10, GofBorg wrote:[color=blue]

I should also mention that there is a relationship with this web server
and a SQL database so there may be some MS traffic that would show up as SQL
in the firewall, but the odd port choosing is what has me stumped. Normal
http traffic shows up as a tcp high port 50000 or higher. On this box
it grabs ports below 2000.[/color]

I assume that’s normal. Windows XP and earlier uses random source ports
between 1025 and 65535. Vista and higher by default use source ports
50000 and up.

CU,

Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de

6

Isn’t Windows Server bizarre by default?

:slight_smile:

7

I assume that’s normal. Windows XP and earlier uses random source ports[color=blue]
between 1025 and 65535. Vista and higher by default use source ports
50000 and up.[/color]

Well, that’s what I was thinking as well. I think it is actually correct
but was wondering about it. I think the unusual traffic I was seeing was
that the firewall was blocking part of the MSSQL communications so it was
wandering all over the map with these port numbers trying to connect. Once
I unblocked it the strangeness went away. I was just concerned that the
firewall was blocking something malicious so I threw every anti-
rootkit/malware utlity at it that I had. Nothing came up so I guess problem
solved.

8

[color=blue]

Have you looked into “Process Explorer”. Mark Russonovitch is a “Fellow”
there now, and has really helped clean up their act since he joined.
IMHO.[/color]

Something to look into. Thanks.