Many Connections from each Web Client

I was asked to take a look at an IIS Website running on Windows 2000 Server
because of reports of slowness. The site is for a small research group that
is part of the University I work for, and there typically aren't a lot of
clients connected at one time, so the server should be able to handle the
load.

When I run netstat -a I see that each client has many connections from
random ports to HTTP on the server (maybe 50 or more from each client). That
doesn't seem normal to me, but I am not sure. Also, when I run fport, I see
that there are many random ports being listening upon by inetsrv.exe, which
also seems odd to me. The Webmaster uses ColdFusion to configure the
content, so that may play a role as well.

Can anyone confirm whether or not this seems normal? The server is running
SP 4 and appears to be up to date with patches, but IIS apparently was never
locked down, I.E. - No urlscan, IIS Lockdown, and with a default installation.

Thanks.

Re: Many Connections from each Web Client

On May 8, 8:26 pm, Baboon wrote:
> I was asked to take a look at an IIS Website running on Windows 2000 Server
> because of reports of slowness. The site is for a small research group that
> is part of the University I work for, and there typically aren't a lot of
> clients connected at one time, so the server should be able to handle the
> load.
>
> When I run netstat -a I see that each client has many connections from
> random ports to HTTP on the server (maybe 50 or more from each client). That
> doesn't seem normal to me, but I am not sure. Also, when I run fport, I see
> that there are many random ports being listening upon by inetsrv.exe, which
> also seems odd to me. The Webmaster uses ColdFusion to configure the
> content, so that may play a role as well.
>
> Can anyone confirm whether or not this seems normal? The server is running
> SP 4 and appears to be up to date with patches, but IIS apparently was never
> locked down, I.E. - No urlscan, IIS Lockdown, and with a default installation.
>
> Thanks.


I am not aware of any IIS/Windows file called inetsrv.exe.

Closest name for IIS is inetinfo.exe - there should only be one
instance, and it should listen to as many ports as there are unique
ports in IP:Port bindings in IIS configuration.

I think this server has been hacked. W2KSP4 is still vulnerable to
several worms unless the server has all security patches.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: Many Connections from each Web Client

Google indicates the file is most likely a trojan.

Tom
"David Wang" wrote in message
news:1178689629.321379.190010@h2g2000hsg.googlegroups.com...
| On May 8, 8:26 pm, Baboon wrote:
| > I was asked to take a look at an IIS Website running on Windows 2000
Server
| > because of reports of slowness. The site is for a small research group
that
| > is part of the University I work for, and there typically aren't a lot
of
| > clients connected at one time, so the server should be able to handle
the
| > load.
| >
| > When I run netstat -a I see that each client has many connections from
| > random ports to HTTP on the server (maybe 50 or more from each client).
That
| > doesn't seem normal to me, but I am not sure. Also, when I run fport, I
see
| > that there are many random ports being listening upon by inetsrv.exe,
which
| > also seems odd to me. The Webmaster uses ColdFusion to configure the
| > content, so that may play a role as well.
| >
| > Can anyone confirm whether or not this seems normal? The server is
running
| > SP 4 and appears to be up to date with patches, but IIS apparently was
never
| > locked down, I.E. - No urlscan, IIS Lockdown, and with a default
installation.
| >
| > Thanks.
|
|
| I am not aware of any IIS/Windows file called inetsrv.exe.
|
| Closest name for IIS is inetinfo.exe - there should only be one
| instance, and it should listen to as many ports as there are unique
| ports in IP:Port bindings in IIS configuration.
|
| I think this server has been hacked. W2KSP4 is still vulnerable to
| several worms unless the server has all security patches.
|
|
| //David
| http://w3-4u.blogspot.com
| http://blogs.msdn.com/David.Wang
| //
|

Re: Many Connections from each Web Client

Sorry, my mistake, inetinfo.exe. Here is a sample of what I mean:
1412 inetinfo -> 1409 TCP C:\WINNT\System32\inetsrv\inetinfo.exe
1412 inetinfo -> 1410 TCP C:\WINNT\System32\inetsrv\inetinfo.exe
1412 inetinfo -> 1423 TCP C:\WINNT\System32\inetsrv\inetinfo.exe
1412 inetinfo -> 1424 TCP C:\WINNT\System32\inetsrv\inetinfo.exe
1412 inetinfo -> 1430 TCP C:\WINNT\System32\inetsrv\inetinfo.exe
1412 inetinfo -> 1433 TCP C:\WINNT\System32\inetsrv\inetinfo.exe
(There are many more than this.)

I ran MBSA on the server and the patches are up to date, I also found that
IIS Lockdown Tool had been run, after all (that doesn't necessarily mean it's
truly locked down).

Thanks for the reply.

"David Wang" wrote:

> On May 8, 8:26 pm, Baboon wrote:
> > I was asked to take a look at an IIS Website running on Windows 2000 Server
> > because of reports of slowness. The site is for a small research group that
> > is part of the University I work for, and there typically aren't a lot of
> > clients connected at one time, so the server should be able to handle the
> > load.
> >
> > When I run netstat -a I see that each client has many connections from
> > random ports to HTTP on the server (maybe 50 or more from each client). That
> > doesn't seem normal to me, but I am not sure. Also, when I run fport, I see
> > that there are many random ports being listening upon by inetsrv.exe, which
> > also seems odd to me. The Webmaster uses ColdFusion to configure the
> > content, so that may play a role as well.
> >
> > Can anyone confirm whether or not this seems normal? The server is running
> > SP 4 and appears to be up to date with patches, but IIS apparently was never
> > locked down, I.E. - No urlscan, IIS Lockdown, and with a default installation.
> >
> > Thanks.
>
>
> I am not aware of any IIS/Windows file called inetsrv.exe.
>
> Closest name for IIS is inetinfo.exe - there should only be one
> instance, and it should listen to as many ports as there are unique
> ports in IP:Port bindings in IIS configuration.
>
> I think this server has been hacked. W2KSP4 is still vulnerable to
> several worms unless the server has all security patches.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>

Re: Many Connections from each Web Client

"Tom Willett" wrote:

> Google indicates the file is most likely a trojan.

If you mean "inetsvr.exe", that was my mistake. I should have said
"inetinfo.exe".

Thanks.

>
> Tom
> "David Wang" wrote in message
> news:1178689629.321379.190010@h2g2000hsg.googlegroups.com...
> | On May 8, 8:26 pm, Baboon wrote:
> | > I was asked to take a look at an IIS Website running on Windows 2000
> Server
> | > because of reports of slowness. The site is for a small research group
> that
> | > is part of the University I work for, and there typically aren't a lot
> of
> | > clients connected at one time, so the server should be able to handle
> the
> | > load.
> | >
> | > When I run netstat -a I see that each client has many connections from
> | > random ports to HTTP on the server (maybe 50 or more from each client).
> That
> | > doesn't seem normal to me, but I am not sure. Also, when I run fport, I
> see
> | > that there are many random ports being listening upon by inetsrv.exe,
> which
> | > also seems odd to me. The Webmaster uses ColdFusion to configure the
> | > content, so that may play a role as well.
> | >
> | > Can anyone confirm whether or not this seems normal? The server is
> running
> | > SP 4 and appears to be up to date with patches, but IIS apparently was
> never
> | > locked down, I.E. - No urlscan, IIS Lockdown, and with a default
> installation.
> | >
> | > Thanks.
> |
> |
> | I am not aware of any IIS/Windows file called inetsrv.exe.
> |
> | Closest name for IIS is inetinfo.exe - there should only be one
> | instance, and it should listen to as many ports as there are unique
> | ports in IP:Port bindings in IIS configuration.
> |
> | I think this server has been hacked. W2KSP4 is still vulnerable to
> | several worms unless the server has all security patches.
> |
> |
> | //David
> | http://w3-4u.blogspot.com
> | http://blogs.msdn.com/David.Wang
> | //
> |
>
>
>

Re: Many Connections from each Web Client

Hi,

In case inetinfo.exe is listening on random ports, have you enabled FTP
usage on the server? If so, in passive mode FTP, inetinfo.exe will open and
listen on ephemeral ports which is an expected behavior.

Information About the IIS File Transmission Protocol (FTP) Service
http://support.microsoft.com/?id=283679

Furthermore you can use some UI tools to check the port listening in
detail. If FTP is not enabled, inetinfo.exe should only be listening on the
TCP ports used by all web sites on the server.

TCPView for Windows v2.4
http://www.microsoft.com/technet/sysinternals/Networking/Tcp View.mspx

Active Ports
http://www.protect-me.com/freeware.html

Thanks.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Re: Many Connections from each Web Client

Thanks very much; that answers my question.

FTP is enabled to our LAN only so that the Web designers can upload content.
I did not even think to consider that. Yes, we are using passive FTP, and
now that you mention it, I am aware that passive FTP needs those ephemeral
ports by nature.

Also, thanks for the links to the network diag tools.

""WenJun Zhang[msft]"" wrote:

> Hi,
>
> In case inetinfo.exe is listening on random ports, have you enabled FTP
> usage on the server? If so, in passive mode FTP, inetinfo.exe will open and
> listen on ephemeral ports which is an expected behavior.
>
> Information About the IIS File Transmission Protocol (FTP) Service
> http://support.microsoft.com/?id=283679
>
> Furthermore you can use some UI tools to check the port listening in
> detail. If FTP is not enabled, inetinfo.exe should only be listening on the
> TCP ports used by all web sites on the server.
>
> TCPView for Windows v2.4
> http://www.microsoft.com/technet/sysinternals/Networking/Tcp View.mspx
>
> Active Ports
> http://www.protect-me.com/freeware.html
>
> Thanks.
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx .
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

Re: Many Connections from each Web Client

You are welcome.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.