Announcement

Collapse
No announcement yet.

wired SYN_SENT flood

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • wired SYN_SENT flood

    hi all,
    I'm running win2k3 enterprise edition as web server using both IIS6 and apache , php5 , hMailserver , Mysql and Serv-U Ftp
    i'm using ClamWin as the main antivirus scanner and SysClean.com a tool from trend micro for threats removal but i cannot update both of them
    because i cannot resolve domain names to IPs either in web browser or via test connectivity ping also i cannot resolve microsoft domain name nslookup works very fine please refer to the attached photo for details
    when i do ping both update servers please see pic
    even i'm using OpenDns servers as the name servers
    by the way i changed name servers to another name server but still the same
    heres the error from Clamwin update manager
    ClamAV update process started at Thu May 21 17:34:15 2009
    main.cld is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
    WARNING: Can't get information about database.clamav.net: Unknown error
    WARNING: getpatch: Can't download daily-9370.cdiff from database.clamav.net
    WARNING: Can't get information about database.clamav.net: Unknown error
    Trying again in 5 secs...

    till now it seems like a DNS resolution problem
    I noticed a wired SYN_SENT flood , i ran netstat -ano to see in/outbound connections
    i got the following
    netstat -ano | find " SYN_SENT"
    TCP xxx.xxx.xxx.xxx:1666 210.79.233.40:445 SYN_SENT 940
    TCP xxx.xxx.xxx.xxx:1667 62.52.220.6:445 SYN_SENT 940
    TCP xxx.xxx.xxx.xxx:1668 24.58.54.44:445 SYN_SENT 940
    TCP xxx.xxx.xxx.xxx:1669 75.117.17.79:445 SYN_SENT 940
    TCP xxx.xxx.xxx.xxx:1670 23.20.43.36:445 SYN_SENT 940
    TCP xxx.xxx.xxx.xxx:1671 145.22.203.11:445 SYN_SENT 940
    TCP xxx.xxx.xxx.xxx:1672 109.23.168.70:445 SYN_SENT 940
    TCP ...............
    the output truncated for brevity
    the PID 940 belongs to svchost.exe
    how can i solve the SYN_SENT problem because i got load of them maybe 80 connection request or more
    i scanned the server for viruses but i found nothing
    also i cannot resolve www.microsoft.com

    any ideas
    Thanks in advance .
    Attached Files
    Last edited by [email protected]; 21st May 2009, 21:29. Reason: add new information

  • #2
    Re: wired SYN_SENT flood

    Cleared the DNS cache??

    Rebooted the machine??

    Anything in the firewall restirciting the server from contacting the net??

    Comment


    • #3
      Re: wired SYN_SENT flood

      which svchost process does it belong to ?
      grab the PID of the connection from netstat - eg
      Active Connections

      Proto Local Address Foreign Address State PID
      TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1840

      gives me PID 1840. Just running tasklist tells me pid 1840 is svchost
      if i run tasklist /svc however, it tells me what's running under that generic application.. for instance... i now know that pid1840 on my workstatio nis the RPC service

      svchost.exe 1772 DcomLaunch, TermService
      svchost.exe 1840 RpcSs

      the difference is in the output: tasklist by itself.
      svchost.exe 1840 Console 0 5,056 K

      from there, you may be able to identify a rogue application....

      also.. isn't port 445 normally an ldap, or other AD-like port ? your machine there is trying to contact public addresses, on port 445.. this is making me quite suspicious..
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: wired SYN_SENT flood

        wullieb1
        Thanks for your reply
        by the way i already flushed the DNS cache , rebooted the machine multiple times and i'm using windows built in firewall
        but i didn't try to disable it just for checking i would try to disable it and see what happen after disabling the firewall

        Comment


        • #5
          Re: wired SYN_SENT flood

          tehcamel
          Thanks for your reply
          i would try your tips about grabing the processes and see what comes and i'll post result asap
          by the way what do you mean by
          "the difference is in the output: tasklist by itself.
          svchost.exe 1840 Console 0 5,056 K "
          i couldn't get it

          Comment


          • #6
            Re: wired SYN_SENT flood

            I disabled the built in firewall but it's still the same DNS resolution
            i ran tasklist /svc
            please note that svchost.exe still have same PID i mentioned above PID 940
            i got the following
            svchost.exe 724 DcomLaunch
            svchost.exe 816 RpcSs
            svchost.exe 888 Dhcp, Dnscache
            svchost.exe 924 LmHosts, W32Time
            svchost.exe 940 AeLookupSvc, Browser, CryptSvc, dmserver,
            EventSystem, helpsvc, HidServ,
            lanmanserver, lanmanworkstation, Netman,
            Nla, Schedule, seclogon, SENS,
            SharedAccess, ShellHWDetection, TrkWks,
            winmgmt, WZCSVC


            also i ran netstat with no options i got the following

            C:\WINDOWS\system32\LogFiles>netstat

            Active Connections

            Proto Local Address Foreign Address State
            TCP elearnsrvr:1041 elearnsrvr:3306 ESTABLISHED
            TCP elearnsrvr:1045 elearnsrvr:3306 ESTABLISHED
            TCP elearnsrvr:2588 elearnsrvr:3306 TIME_WAIT
            TCP elearnsrvr:3041 elearnsrvr:3306 ESTABLISHED
            TCP elearnsrvr:3306 elearnsrvr:1041 ESTABLISHED
            TCP elearnsrvr:3306 elearnsrvr:1045 ESTABLISHED
            TCP elearnsrvr:3306 elearnsrvr:3041 ESTABLISHED
            TCP elearnsrvr:3593 elearnsrvr:3306 TIME_WAIT
            TCP elearnsrvr:4117 elearnsrvr:3306 TIME_WAIT
            TCP elearnsrvr:http 123.125.66.20:1405 TIME_WAIT
            TCP elearnsrvr:epmap elearnsrvr:2298 ESTABLISHED
            TCP elearnsrvr:2298 elearnsrvr:epmap ESTABLISHED
            TCP elearnsrvr:2593 elearnsrvr:imap TIME_WAIT
            TCP elearnsrvr:ms-wbt-server xxx.xxx.xxx.xxx:3647 ESTABLISHED
            TCP elearnsrvr:3594 elearnsrvr:imap TIME_WAIT
            TCP elearnsrvr:4143 161.110.9.4:microsoft-ds FIN_WAIT_1
            TCP elearnsrvr:4491 32.78.135.48:microsoft-ds SYN_SENT
            TCP elearnsrvr:4492 73.14.174.11:microsoft-ds SYN_SENT
            TCP elearnsrvr:4493 hst000050873um.pharmacy.olemiss.edu:microsoft-ds
            SYN_SENT
            TCP elearnsrvr:4494 184.33.192.27:microsoft-ds SYN_SENT
            TCP elearnsrvr:4495 A-g9-1-500-S1.tls2.mtl1.rogerstelecom.net:micros
            oft-ds SYN_SENT
            TCP elearnsrvr:4496 156.85.26.1:microsoft-ds SYN_SENT
            TCP elearnsrvr:4497 12.83.195.20:microsoft-ds SYN_SENT
            TCP elearnsrvr:4498 29.19.103.119:microsoft-ds SYN_SENT
            TCP elearnsrvr:4499 136.20.103.93:microsoft-ds SYN_SENT
            TCP elearnsrvr:ipsec-msft 161.39.167.45:microsoft-ds SYN_SENT
            TCP elearnsrvr:4501 22.21.194.21:microsoft-ds SYN_SENT
            TCP elearnsrvr:4502 42.1.104.83:microsoft-ds SYN_SENT
            TCP elearnsrvr:4503 153.100.144.57:microsoft-ds SYN_SENT
            TCP elearnsrvr:4504 169.9.169.115:microsoft-ds SYN_SENT
            TCP elearnsrvr:4505 133.95.113.92:microsoft-ds SYN_SENT
            TCP elearnsrvr:4506 183.70.68.58:microsoft-ds SYN_SENT
            TCP elearnsrvr:4507 216-49-169-114.islc.net:microsoft-ds SYN_SENT
            TCP elearnsrvr:4508 188.54.208.50:microsoft-ds SYN_SENT
            TCP elearnsrvr:4509 56.100.112.62:microsoft-ds SYN_SENT
            TCP elearnsrvr:4510 195.19.81.62:microsoft-ds SYN_SENT
            TCP elearnsrvr:4511 31.17.198.56:microsoft-ds SYN_SENT
            TCP elearnsrvr:4512 177.86.139.73:microsoft-ds SYN_SENT
            TCP elearnsrvr:4513 86.104.201.13:microsoft-ds SYN_SENT
            TCP elearnsrvr:4514 vpses.ultimateserv.com:microsoft-ds SYN_SENT
            TCP elearnsrvr:4515 121.34.123.97:microsoft-ds SYN_SENT
            TCP elearnsrvr:4516 v101960.home.net.pl:microsoft-ds SYN_SENT
            TCP elearnsrvr:4517 217.5.26.72:microsoft-ds SYN_SENT
            TCP elearnsrvr:4518 110.102.153.33:microsoft-ds SYN_SENT
            TCP elearnsrvr:4519 74-42-133-46.dr02.apvy.mn.frontiernet.net:micros
            oft-ds SYN_SENT
            TCP elearnsrvr:4520 174.35.214.16:microsoft-ds SYN_SENT
            TCP elearnsrvr:4521 141.21.130.67:microsoft-ds SYN_SENT
            TCP elearnsrvr:4522 142.106.89.55:microsoft-ds SYN_SENT
            TCP elearnsrvr:4523 192.120.241.86:microsoft-ds SYN_SENT
            TCP elearnsrvr:4524 129.24.211.107:microsoft-ds SYN_SENT
            TCP elearnsrvr:4525 cpc4-midd1-0-0-cust812.midd.cable.ntl.com:micros
            oft-ds SYN_SENT
            TCP elearnsrvr:4526 203.10.155.86:microsoft-ds SYN_SENT
            TCP elearnsrvr:4527 96.114.106.9:microsoft-ds SYN_SENT
            TCP elearnsrvr:4528 28.26.4.71:microsoft-ds SYN_SENT
            TCP elearnsrvr:4529 14.113.13.7:microsoft-ds SYN_SENT
            TCP elearnsrvr:4530 137.91.216.127:microsoft-ds SYN_SENT
            TCP elearnsrvr:4531 16.63.239.66:microsoft-ds SYN_SENT
            TCP elearnsrvr:4532 187.100.128.26:microsoft-ds SYN_SENT
            TCP elearnsrvr:4533 188.114.220.2:microsoft-ds SYN_SENT


            o people of expert
            any ideas

            thanks in advance for your help

            Comment


            • #7
              Re: wired SYN_SENT flood

              It looks to me that based on the large number of SYN_SENT entries on sequential port numbers that someone is running a port space probe against this server. What do you have for a firewall? Try disconnecting your internet connection at your router and see if the SYN_SENT entries go away. If they do then I would look into blocking address and port space probes at the firewall.

              Comment


              • #8
                Re: wired SYN_SENT flood

                My thoughts are similar to Joe's
                It could be a sign of a SYN Flood.
                Basically engineered SYN packets with no source address (or forged) are targetting your system. Some sort of DoS.
                If that's the case look into this: http://www.securityfocus.com/infocus/1729

                Ta
                Caesar's cipher - 3

                ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                SFX JNRS FC U6 MNGR

                Comment


                • #9
                  Re: wired SYN_SENT flood

                  L4ndy and joeqwerty
                  Thanks for your helpful reply
                  @ joeqwerty i cannot disconnect the internet connection now because i'm dealing with the server remotely i'll do it when i'm near from the server and see what happens when i disconnect by the way i'm using the win2k3 built in firewall how can i block addresses and port space probes
                  @ L4ndy I thought that my server is initiating those connections as the entries says
                  TCP elearnsrvr:4533 188.114.220.2:microsoft-ds SYN_SENT
                  SYN_SENT and all targetting different addresses with same port
                  what about DNS resolution problem ping not working also web browser cannot lookup Microsoft website and clamwin and sysclean.com cannot update their databases even nslookup works very fine as shown in picture above

                  Comment


                  • #10
                    Re: wired SYN_SENT flood

                    I can tell you without a doubt that the SYN_SENT connections are an inbound port space probe against the server. I can also tell you without a doubt that the Windows firewall does not protect against a port space probe, it only protects against actual connections. The port space probe that is occurring is not making any connections it's only scanning to determine what ports are open and "listening". I wouldn't wait too long to address it as you run the risk of the server being compromised.

                    Comment


                    • #11
                      Re: wired SYN_SENT flood

                      what about the dns resolution problem what do you think the problem is

                      Comment


                      • #12
                        Re: wired SYN_SENT flood

                        It could be that the NIC on the server is overloaded by the SYN_SENT probe and it's affecting network communications. I would deal with the SYN_SENT issue first and then see where things are at. I hate to be an alarmist but someone is scanning your server and as soon as they build their list of open ports they are going to start trying to break in to the server. If this were happening to me I would drop everything else and tend to it immediately.

                        Comment


                        • #13
                          Re: wired SYN_SENT flood

                          You know, after looking at your netstat output again, here's what I'm thinking:

                          An inbound port scan would result in a large number of SYN_SENT connections from the same external ip address to a sequential list of port numbers on the server. What you have is a large number of SYN_SENT connections from a sequential list of ports on the server to different external ip addresses. Normally a port probe can be identified by a large number of SYN_SENT connections from the same external ip address but you have the opposite.

                          The foreign port listed is microsoft-ds, which is port 445 which is used for SMB (server message block) communications (NetBIOS).

                          I think the server is either already compromised and it's acting as a zombie to probe the external ip addresses or the server's network components are screwed up. Try disabling NetBIOS over TCP/IP on the properties of the server NIC and see if it stops. Also, check the DNS settings on the server again and make sure they're correct. Is this server a memebr of an AD domain?

                          Comment


                          • #14
                            Re: wired SYN_SENT flood

                            Thanks for your invaluable tips
                            by the way i rebooted the machine multiple times and the DNS resolution problem still exist
                            i'm having this problem with some specific hosts such as
                            *.microsoft.com
                            database.clamav.net which is calmwin updates its database
                            download.antivirus.com which is sysclean.com updates its database
                            *.trendmicro.com
                            please refer to http://www.trendmicro.com/download/dcs.asp for more info about the tool
                            i made a cmd script ( scheduled task ) to grab updates for syslean.com as follows using gnu wget http://www.gnu.org/software/wget/
                            winrar http://www.rarsoft.com/

                            pushd c:\SysClean
                            wget ftp://download.antivirus.com/products/pattern/lpt*.zip
                            wget ftp://download.antivirus.com/product.../ssapiptn*.zip
                            ::winrar x *.zip
                            winrar x -IBCK -o+ *.zip
                            sysclean.com /FULLSILENT
                            del /F /Q lpt*.* ssap*.*
                            popd

                            i did an nmap test against my server
                            with the following options and arguments
                            namp -p1 -5000 -T4 -sS xxx.xxx.xxx.xxx
                            i got the following result
                            Starting Nmap 4.75 ( http://nmap.org ) at 2009-05-22 22:54 Central Europe Daylight Time
                            Interesting ports on xxx (xxx.xxx.xxx.xxx):
                            Not shown: 4992 filtered ports
                            PORT STATE SERVICE
                            21/tcp open ftp
                            25/tcp open smtp
                            80/tcp open http
                            110/tcp open pop3
                            143/tcp open imap
                            443/tcp closed https
                            3306/tcp open mysql
                            3389/tcp open ms-term-serv

                            Nmap done: 1 IP address (1 host up) scanned in 69.06 seconds


                            as a guru do you think i'm in danger with those open ports
                            I'm running both IIS6 and apache as web servers
                            php5 , mysql 5 , serv-U FTP 7.3.0.0 , Moodle.org ( LMS for elearning http://moodle.org ) hMailServer as services
                            and what sort of firewalls do you recommend me
                            thanks again
                            Last edited by [email protected]; 22nd May 2009, 22:55.

                            Comment


                            • #15
                              Re: wired SYN_SENT flood

                              No its not AD member its a standalone web server exposed to the internet with real static ip address
                              i already disabled the NetBios on the 1st active NIC and File and printing sharing for Microsoft networks
                              i made extra check the DNS settings all are correct i'm using OpenDNS but i changed them multiple times with different name servers

                              Comment

                              Working...
                              X