Announcement

Collapse
No announcement yet.

SYN_SENT Problems

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SYN_SENT Problems

    I seem to have an attach on my network at the moment which is shutting down my trunk ports on Nortel 5520's. I then have to reboot the switches and they are ok. The syslogs on the switch show authentication attempts from a varitey of PC/Laptops every few seconds.
    Thinking this would be a simple virus, I have run TREND, MCAFEE and Symantec but nothing is found at all. I have done this on a few machines already.
    Below is the netstat -adn from a machine and it appears the same for the other machines as well, that the host machine is spanning the entire subnet it is connected to (I am running 10 different VLANs), on a whole load of different Port numbers
    I can not find any single application which is causing this and there appears to be no real pattern.


    TCP 172.16.139.68:5357 172.16.139.54:52229 TIME_WAIT
    TCP 172.16.139.68:5357 172.16.139.54:52236 TIME_WAIT
    TCP 172.16.139.68:5357 172.16.139.54:52252 TIME_WAIT
    TCP 172.16.139.68:51262 122.225.105.94:80 ESTABLISHED
    [iexplore.exe]
    TCP 172.16.139.68:51267 64.4.34.75:1863 ESTABLISHED
    [wlcomm.exe]
    TCP 172.16.139.68:51289 122.225.105.94:80 ESTABLISHED
    [iexplore.exe]
    TCP 172.16.139.68:51296 122.225.105.94:80 ESTABLISHED
    [iexplore.exe]
    TCP 172.16.139.68:51298 122.225.105.94:80 ESTABLISHED
    [iexplore.exe]
    TCP 172.16.139.68:51300 220.181.48.115:80 ESTABLISHED
    [msnmsgr.exe]
    TCP 172.16.139.68:51310 172.16.139.54:58321 TIME_WAIT
    TCP 172.16.139.68:51313 172.16.139.54:58321 TIME_WAIT
    TCP 172.16.139.68:51315 207.46.216.54:80 ESTABLISHED
    [mswinext.exe]
    TCP 172.16.139.68:51320 61.152.242.233:80 TIME_WAIT
    TCP 172.16.139.68:51321 61.152.242.233:80 LAST_ACK
    [msnmsgr.exe]
    TCP 172.16.139.68:51323 207.46.73.251:80 ESTABLISHED
    [msnmsgr.exe]
    TCP 172.16.139.68:51325 38.103.61.195:80 ESTABLISHED
    [hnm_svc.exe]
    TCP 172.16.139.68:51327 218.30.82.201:80 TIME_WAIT
    TCP 172.16.139.68:51334 172.16.139.54:80 TIME_WAIT
    TCP 172.16.139.68:51335 172.16.139.54:139 TIME_WAIT
    TCP 172.16.139.68:51339 172.16.139.1:80 TIME_WAIT
    TCP 172.16.139.68:51340 172.16.139.1:8080 SYN_SENT
    [hnm_svc.exe]
    TCP 172.16.139.68:51341 172.16.139.58:80 SYN_SENT
    [hnm_svc.exe]
    TCP 172.16.139.68:51342 172.16.139.3:80 TIME_WAIT
    TCP 172.16.139.68:51343 172.16.139.3:8080 SYN_SENT
    [hnm_svc.exe]
    TCP 172.16.139.68:51344 172.16.139.5:80 TIME_WAIT
    TCP 172.16.139.68:51345 172.16.139.5:3389 SYN_SENT
    [hnm_svc.exe]

  • #2
    Re: SYN_SENT Problems

    syn is the first part of establishing a tcp session

    see here:
    http://www.faqs.org/docs/iptables/tcpconnections.html

    so basically hnm_svc.exe is trying to establish a tcp session with, by the look of it, a range of other devices on the network.

    syn_sent suggests a syn request has been sent, but an ack has not been received - so it's a half-established connection
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: SYN_SENT Problems

      i think the hnm_svc.exe is abit of red herring as it is not the only service that this happens to. But what would search the local subnet across a range of ports? and also not be picked up by any virus checker. If I remember correctley the sasser virus did something similar.

      Comment

      Working...
      X