Demasiados solicitudes

14/01/2008 - 17:49 por Joshua | Informe spam

Hola a todos, les comento mi inquietud.

hace unos dias mi proveedor de servicio de internet me bloqueo el servicio
argumentando que tenia virus uno de mis equipos ya que al parecer ese
servidor (Windows 2000 Server) esta enviando demasiadas peticiones a la red.
Yo lo estuve monitoreando con netstat -a con un intervalo de 15 seg y noto
que hay N cantidad de puertos que esta usando mi server y quiero pensar que
varios de ellos no tendrian por que estar activos.

Quiero pedir su opinion con este tema y para ello, les mando lo que me
arrojo ese comando una vez ejecutado.

Saludos.

Conexiones activas

Proto Dirección local Dirección remota Estado
TCP MYSERVER:kerberos-sec MYSERVER:0 LISTENING
TCP MYSERVER:epmap MYSERVER:0 LISTENING
TCP MYSERVER:ldap MYSERVER:0 LISTENING
TCP MYSERVER:microsoft-ds MYSERVER:0 LISTENING
TCP MYSERVER:464 MYSERVER:0 LISTENING
TCP MYSERVER:593 MYSERVER:0 LISTENING
TCP MYSERVER:ldaps MYSERVER:0 LISTENING
TCP MYSERVER:1026 MYSERVER:0 LISTENING
TCP MYSERVER:1029 MYSERVER:0 LISTENING
TCP MYSERVER:1041 MYSERVER:0 LISTENING
TCP MYSERVER:1042 MYSERVER:0 LISTENING
TCP MYSERVER:1048 MYSERVER:0 LISTENING
TCP MYSERVER:1060 MYSERVER:0 LISTENING
TCP MYSERVER:3268 MYSERVER:0 LISTENING
TCP MYSERVER:3269 MYSERVER:0 LISTENING
TCP MYSERVER:ldap MYSERVER:1293 ESTABLISHED
TCP MYSERVER:microsoft-ds MYSERVER:1031 ESTABLISHED
TCP MYSERVER:1031 MYSERVER:microsoft-ds ESTABLISHED
TCP MYSERVER:1293 MYSERVER:ldap ESTABLISHED
TCP MYSERVER:netbios-ssn MYSERVER:0 LISTENING
TCP MYSERVER:netbios-ssn ALMACENPC:1044 ESTABLISHED
TCP MYSERVER:ldap MYSERVER:1044 ESTABLISHED
TCP MYSERVER:ldap MYSERVER:2574 TIME_WAIT
TCP MYSERVER:ldap MYSERVER:2600 ESTABLISHED
TCP MYSERVER:ldap MYSERVER:2654 TIME_WAIT
TCP MYSERVER:ldap MYSERVER:2655 TIME_WAIT
TCP MYSERVER:ldap MYSERVER:2848 TIME_WAIT
TCP MYSERVER:1044 MYSERVER:ldap ESTABLISHED
TCP MYSERVER:2600 MYSERVER:ldap ESTABLISHED
TCP MYSERVER:2683 MYSERVER:epmap TIME_WAIT
TCP MYSERVER:2684 MYSERVER:1026 TIME_WAIT
TCP MYSERVER:2685 MYSERVER:epmap TIME_WAIT
TCP MYSERVER:2686 MYSERVER:1026 TIME_WAIT
TCP MYSERVER:2842 MYSERVER:epmap TIME_WAIT
TCP MYSERVER:2844 MYSERVER:1026 TIME_WAIT
TCP MYSERVER:2964 MYSERVER:ldap CLOSE_WAIT
TCP MYSERVER:2968 MYSERVER:ldap CLOSE_WAIT
UDP MYSERVER:epmap *:*
UDP MYSERVER:microsoft-ds *:*
UDP MYSERVER:1028 *:*
UDP MYSERVER:1038 *:*
UDP MYSERVER:1043 *:*
UDP MYSERVER:1047 *:*
UDP MYSERVER:1062 *:*
UDP MYSERVER:2026 *:*
UDP MYSERVER:2847 *:*
UDP MYSERVER:2959 *:*
UDP MYSERVER:2963 *:*
UDP MYSERVER:11050 *:*
UDP MYSERVER:kerberos-sec *:*
UDP MYSERVER:ntp *:*
UDP MYSERVER:netbios-ns *:*
UDP MYSERVER:netbios-dgm *:*
UDP MYSERVER:389 *:*
UDP MYSERVER:464 *:*
UDP MYSERVER:isakmp *:*
UDP MYSERVER:4500 *:*

Conexiones activas

Proto Dirección local Dirección remota Estado
TCP MYSERVER:kerberos-sec MYSERVER:0 LISTENING
TCP MYSERVER:epmap MYSERVER:0 LISTENING
TCP MYSERVER:ldap MYSERVER:0 LISTENING
TCP MYSERVER:microsoft-ds MYSERVER:0 LISTENING
TCP MYSERVER:464 MYSERVER:0 LISTENING
TCP MYSERVER:593 MYSERVER:0 LISTENING
TCP MYSERVER:ldaps MYSERVER:0 LISTENING
TCP MYSERVER:1026 MYSERVER:0 LISTENING
TCP MYSERVER:1029 MYSERVER:0 LISTENING
TCP MYSERVER:1041 MYSERVER:0 LISTENING
TCP MYSERVER:1042 MYSERVER:0 LISTENING
TCP MYSERVER:1048 MYSERVER:0 LISTENING
TCP MYSERVER:1060 MYSERVER:0 LISTENING
TCP MYSERVER:3268 MYSERVER:0 LISTENING
TCP MYSERVER:3269 MYSERVER:0 LISTENING
TCP MYSERVER:ldap MYSERVER:1293 ESTABLISHED
TCP MYSERVER:microsoft-ds MYSERVER:1031 ESTABLISHED
TCP MYSERVER:1031 MYSERVER:microsoft-ds ESTABLISHED
TCP MYSERVER:1293 MYSERVER:ldap ESTABLISHED
TCP MYSERVER:netbios-ssn MYSERVER:0 LISTENING
TCP MYSERVER:netbios-ssn ALMACENPC:1044 ESTABLISHED
TCP MYSERVER:ldap MYSERVER:1044 ESTABLISHED
TCP MYSERVER:ldap MYSERVER:2574 TIME_WAIT
TCP MYSERVER:ldap MYSERVER:2600 ESTABLISHED
TCP MYSERVER:ldap MYSERVER:2654 TIME_WAIT
TCP MYSERVER:ldap MYSERVER:2655 TIME_WAIT
TCP MYSERVER:ldap MYSERVER:2848 TIME_WAIT
TCP MYSERVER:1044 MYSERVER:ldap ESTABLISHED
TCP MYSERVER:2600 MYSERVER:ldap ESTABLISHED
TCP MYSERVER:2683 MYSERVER:epmap TIME_WAIT
TCP MYSERVER:2684 MYSERVER:1026 TIME_WAIT
TCP MYSERVER:2685 MYSERVER:epmap TIME_WAIT
TCP MYSERVER:2686 MYSERVER:1026 TIME_WAIT
TCP MYSERVER:2842 MYSERVER:epmap TIME_WAIT
TCP MYSERVER:2844 MYSERVER:1026 TIME_WAIT
TCP MYSERVER:2964 MYSERVER:ldap CLOSE_WAIT
TCP MYSERVER:2968 MYSERVER:ldap CLOSE_WAIT
UDP MYSERVER:epmap *:*
UDP MYSERVER:microsoft-ds *:*
UDP MYSERVER:1028 *:*
UDP MYSERVER:1038 *:*
UDP MYSERVER:1043 *:*
UDP MYSERVER:1047 *:*
UDP MYSERVER:1062 *:*
UDP MYSERVER:2026 *:*
UDP MYSERVER:2847 *:*
UDP MYSERVER:2959 *:*
UDP MYSERVER:2963 *:*
UDP MYSERVER:11050 *:*
UDP MYSERVER:kerberos-sec *:*
UDP MYSERVER:ntp *:*
UDP MYSERVER:netbios-ns *:*
UDP MYSERVER:netbios-dgm *:*
UDP MYSERVER:389 *:*
UDP MYSERVER:464 *:*
UDP MYSERVER:isakmp *:*
UDP MYSERVER:4500 *:*

Siga el debate

3 respuestas

Tengo una respuesta

Preguntas similare

Mostrar todos los temas similares

Leer las respuestas

#1 Diego Uribe

14/01/2008 - 21:46 | Informe spam

No se ve nada exageradamente raro

Descarga un programa llamado TCPVIEW y puedes ver la misma información con
el nombre del proceso, de forma gráfica y organizable y se actualiza cada
ciertos segundos.

Como te digo no se ve nada raro.

¿Tienes un Firewall Activo?

Las posibilidades que tienes son 2...

1. Que tu servidor tenga un zombie, gusano, conejo, robot . virus o
software por el estilo que este enviando demasiadas peticiones a uno o
muchos sitios.

2. Si no tienes firewall, y viendo que ldap abierto lo esten atacando.

La sugerencias son:

1. Ejecuta programas como antivirus y antiespias.
2. Instala un firewall y dale permiso unicamente a lo que debe salir.
3. Consulta con el proveedor de internet (ISP) para ver si te envia una
copia del log en el que se apoyan para decirte esto.
4. Revisa que no tengas programas p2p instalados que salgan por esa conexión
5. A la tarjeta que tiene internet, asegurate de quitarle el uso de NetBIOS

Espero respuesta a ver que ha pasado. Esperemos tambien que con esta breve
clase de seguridad se pueda hacer algo

Saludos

Diego Uribe

"Joshua" escribió en el mensaje
news:

Hola a todos, les comento mi inquietud.

hace unos dias mi proveedor de servicio de internet me bloqueo el servicio
argumentando que tenia virus uno de mis equipos ya que al parecer ese
servidor (Windows 2000 Server) esta enviando demasiadas peticiones a la
red.
Yo lo estuve monitoreando con netstat -a con un intervalo de 15 seg y noto
que hay N cantidad de puertos que esta usando mi server y quiero pensar
que
varios de ellos no tendrian por que estar activos.

Quiero pedir su opinion con este tema y para ello, les mando lo que me
arrojo ese comando una vez ejecutado.

Saludos.

Conexiones activas

Proto Dirección local Dirección remota Estado
TCP MYSERVER:kerberos-sec MYSERVER:0 LISTENING
TCP MYSERVER:epmap MYSERVER:0 LISTENING
TCP MYSERVER:ldap MYSERVER:0 LISTENING
TCP MYSERVER:microsoft-ds MYSERVER:0 LISTENING
TCP MYSERVER:464 MYSERVER:0 LISTENING
TCP MYSERVER:593 MYSERVER:0 LISTENING
TCP MYSERVER:ldaps MYSERVER:0 LISTENING
TCP MYSERVER:1026 MYSERVER:0 LISTENING
TCP MYSERVER:1029 MYSERVER:0 LISTENING
TCP MYSERVER:1041 MYSERVER:0 LISTENING
TCP MYSERVER:1042 MYSERVER:0 LISTENING
TCP MYSERVER:1048 MYSERVER:0 LISTENING
TCP MYSERVER:1060 MYSERVER:0 LISTENING
TCP MYSERVER:3268 MYSERVER:0 LISTENING
TCP MYSERVER:3269 MYSERVER:0 LISTENING
TCP MYSERVER:ldap MYSERVER:1293 ESTABLISHED
TCP MYSERVER:microsoft-ds MYSERVER:1031 ESTABLISHED
TCP MYSERVER:1031 MYSERVER:microsoft-ds ESTABLISHED
TCP MYSERVER:1293 MYSERVER:ldap ESTABLISHED
TCP MYSERVER:netbios-ssn MYSERVER:0 LISTENING
TCP MYSERVER:netbios-ssn ALMACENPC:1044 ESTABLISHED
TCP MYSERVER:ldap MYSERVER:1044 ESTABLISHED
TCP MYSERVER:ldap MYSERVER:2574 TIME_WAIT
TCP MYSERVER:ldap MYSERVER:2600 ESTABLISHED
TCP MYSERVER:ldap MYSERVER:2654 TIME_WAIT
TCP MYSERVER:ldap MYSERVER:2655 TIME_WAIT
TCP MYSERVER:ldap MYSERVER:2848 TIME_WAIT
TCP MYSERVER:1044 MYSERVER:ldap ESTABLISHED
TCP MYSERVER:2600 MYSERVER:ldap ESTABLISHED
TCP MYSERVER:2683 MYSERVER:epmap TIME_WAIT
TCP MYSERVER:2684 MYSERVER:1026 TIME_WAIT
TCP MYSERVER:2685 MYSERVER:epmap TIME_WAIT
TCP MYSERVER:2686 MYSERVER:1026 TIME_WAIT
TCP MYSERVER:2842 MYSERVER:epmap TIME_WAIT
TCP MYSERVER:2844 MYSERVER:1026 TIME_WAIT
TCP MYSERVER:2964 MYSERVER:ldap CLOSE_WAIT
TCP MYSERVER:2968 MYSERVER:ldap CLOSE_WAIT
UDP MYSERVER:epmap *:*
UDP MYSERVER:microsoft-ds *:*
UDP MYSERVER:1028 *:*
UDP MYSERVER:1038 *:*
UDP MYSERVER:1043 *:*
UDP MYSERVER:1047 *:*
UDP MYSERVER:1062 *:*
UDP MYSERVER:2026 *:*
UDP MYSERVER:2847 *:*
UDP MYSERVER:2959 *:*
UDP MYSERVER:2963 *:*
UDP MYSERVER:11050 *:*
UDP MYSERVER:kerberos-sec *:*
UDP MYSERVER:ntp *:*
UDP MYSERVER:netbios-ns *:*
UDP MYSERVER:netbios-dgm *:*
UDP MYSERVER:389 *:*
UDP MYSERVER:464 *:*
UDP MYSERVER:isakmp *:*
UDP MYSERVER:4500 *:*

Conexiones activas

Proto Dirección local Dirección remota Estado
TCP MYSERVER:kerberos-sec MYSERVER:0 LISTENING
TCP MYSERVER:epmap MYSERVER:0 LISTENING
TCP MYSERVER:ldap MYSERVER:0 LISTENING
TCP MYSERVER:microsoft-ds MYSERVER:0 LISTENING
TCP MYSERVER:464 MYSERVER:0 LISTENING
TCP MYSERVER:593 MYSERVER:0 LISTENING
TCP MYSERVER:ldaps MYSERVER:0 LISTENING
TCP MYSERVER:1026 MYSERVER:0 LISTENING
TCP MYSERVER:1029 MYSERVER:0 LISTENING
TCP MYSERVER:1041 MYSERVER:0 LISTENING
TCP MYSERVER:1042 MYSERVER:0 LISTENING
TCP MYSERVER:1048 MYSERVER:0 LISTENING
TCP MYSERVER:1060 MYSERVER:0 LISTENING
TCP MYSERVER:3268 MYSERVER:0 LISTENING
TCP MYSERVER:3269 MYSERVER:0 LISTENING
TCP MYSERVER:ldap MYSERVER:1293 ESTABLISHED
TCP MYSERVER:microsoft-ds MYSERVER:1031 ESTABLISHED
TCP MYSERVER:1031 MYSERVER:microsoft-ds ESTABLISHED
TCP MYSERVER:1293 MYSERVER:ldap ESTABLISHED
TCP MYSERVER:netbios-ssn MYSERVER:0 LISTENING
TCP MYSERVER:netbios-ssn ALMACENPC:1044 ESTABLISHED
TCP MYSERVER:ldap MYSERVER:1044 ESTABLISHED
TCP MYSERVER:ldap MYSERVER:2574 TIME_WAIT
TCP MYSERVER:ldap MYSERVER:2600 ESTABLISHED
TCP MYSERVER:ldap MYSERVER:2654 TIME_WAIT
TCP MYSERVER:ldap MYSERVER:2655 TIME_WAIT
TCP MYSERVER:ldap MYSERVER:2848 TIME_WAIT
TCP MYSERVER:1044 MYSERVER:ldap ESTABLISHED
TCP MYSERVER:2600 MYSERVER:ldap ESTABLISHED
TCP MYSERVER:2683 MYSERVER:epmap TIME_WAIT
TCP MYSERVER:2684 MYSERVER:1026 TIME_WAIT
TCP MYSERVER:2685 MYSERVER:epmap TIME_WAIT
TCP MYSERVER:2686 MYSERVER:1026 TIME_WAIT
TCP MYSERVER:2842 MYSERVER:epmap TIME_WAIT
TCP MYSERVER:2844 MYSERVER:1026 TIME_WAIT
TCP MYSERVER:2964 MYSERVER:ldap CLOSE_WAIT
TCP MYSERVER:2968 MYSERVER:ldap CLOSE_WAIT
UDP MYSERVER:epmap *:*
UDP MYSERVER:microsoft-ds *:*
UDP MYSERVER:1028 *:*
UDP MYSERVER:1038 *:*
UDP MYSERVER:1043 *:*
UDP MYSERVER:1047 *:*
UDP MYSERVER:1062 *:*
UDP MYSERVER:2026 *:*
UDP MYSERVER:2847 *:*
UDP MYSERVER:2959 *:*
UDP MYSERVER:2963 *:*
UDP MYSERVER:11050 *:*
UDP MYSERVER:kerberos-sec *:*
UDP MYSERVER:ntp *:*
UDP MYSERVER:netbios-ns *:*
UDP MYSERVER:netbios-dgm *:*
UDP MYSERVER:389 *:*
UDP MYSERVER:464 *:*
UDP MYSERVER:isakmp *:*
UDP MYSERVER:4500 *:*

Responder a este mensaje

#2 Joshua

17/01/2008 - 17:46 | Informe spam

Gracias diego, por tus comentarios, te comento que si tengo un firewall
activo que es el miso del model dsl 2wire, de infinitum de telmex.

Escanee el servidor por si estuviera infectado por algun virus o cualquer
otra sw indeseable y no me encontro gran cosa, (uso nod32), tambien pase un
programa para buscar spyware (lavasoft) y fuera de cokies que detecta como
spyware no hay alguna otra cosa.

Y bueno, con respecto al log que mi proveedor me pudiera mandar, me comento
que lo podia ver directamente en el modem y pues aqqui lo pongo por si de
algo sirve:

sess[25462]: bkt 9, flags: 0x000001a1, proto: 6, cnt: 7
l: 192.168.1.11:1207, f: 209.85.141.176:80, n: 189.145.71.70:1207
lnd: (51,0), fnd: (44,0)
last used 136841, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 878658983, sent: 1, unack'd 1, mss 0, windows_scale 0
TCP OUT: is: 1261275760, sent: 1, unack'd 0, mss 0, windows_scale 0
sess[25459]: bkt 10, flags: 0x000001a1, proto: 6, cnt: 7
l: 192.168.1.11:1204, f: 209.85.141.176:80, n: 189.145.71.70:1204
lnd: (51,0), fnd: (44,0)
last used 136841, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 867876424, sent: 1, unack'd 1, mss 0, windows_scale 0
TCP OUT: is: 515712675, sent: 1, unack'd 0, mss 0, windows_scale 0
sess[25460]: bkt 11, flags: 0x000001a1, proto: 6, cnt: 7
l: 192.168.1.11:1205, f: 209.85.141.176:80, n: 189.145.71.70:1205
lnd: (51,0), fnd: (44,0)
last used 136841, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 3082783921, sent: 1, unack'd 1, mss 0, windows_scale 0
TCP OUT: is: 1911503724, sent: 1, unack'd 0, mss 0, windows_scale 0
sess[12056]: bkt 16, flags: 0x000001a1, proto: 6, cnt: 19
l: 192.168.1.13:1354, f: 200.67.193.178:443, n: 189.145.71.70:1354
lnd: (51,0), fnd: (44,0)
last used 72460, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 3616575974, sent: 13, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 1246536105, sent: 4954, unack'd 0, mss 0, windows_scale 0
sess[31491]: bkt 18, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3175, f: 200.33.146.193:53, n: 189.145.71.70:3175
lnd: (51,0), fnd: (44,0)
last used 146420, max_idle: 600
sess[31487]: bkt 20, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3169, f: 200.33.146.193:53, n: 189.145.71.70:3169
lnd: (51,0), fnd: (44,0)
last used 146345, max_idle: 600
sess[31505]: bkt 20, flags: 0x000001a1, proto: 6, cnt: 23
l: 192.168.1.6:2059, f: 12.37.74.8:80, n: 189.145.71.70:2059
lnd: (51,0), fnd: (44,0)
last used 146537, max_idle: 15
TCP state CLOSED
TCP IN: is: 956996218, sent: 15226, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 147220921, sent: 305, unack'd 0, mss 0, windows_scale 0
sess[31513]: bkt 25, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3180, f: 200.33.146.193:53, n: 189.145.71.70:3180
lnd: (51,0), fnd: (44,0)
last used 146479, max_idle: 600
sess[31515]: bkt 27, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3182, f: 200.33.146.193:53, n: 189.145.71.70:3182
lnd: (51,0), fnd: (44,0)
last used 146480, max_idle: 600
sess[27744]: bkt 31, flags: 0x000001a1, proto: 6, cnt: 49
l: 192.168.1.3:1092, f: 200.67.193.178:443, n: 189.145.71.70:1092
lnd: (51,0), fnd: (44,0)
last used 146324, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 367580243, sent: 61, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 2005190366, sent: 13991, unack'd 0, mss 0, windows_scale 0
sess[31494]: bkt 31, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3178, f: 200.33.146.193:53, n: 189.145.71.70:3178
lnd: (51,0), fnd: (44,0)
last used 146465, max_idle: 600
sess[31478]: bkt 32, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3157, f: 200.23.242.197:53, n: 189.145.71.70:3157
lnd: (51,0), fnd: (44,0)
last used 146249, max_idle: 600
sess[31477]: bkt 33, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3156, f: 200.33.146.193:53, n: 189.145.71.70:3156
lnd: (51,0), fnd: (44,0)
last used 146248, max_idle: 600
sess[31480]: bkt 34, flags: 0x000001a1, proto: 17, cnt: 5
l: 192.168.1.100:3159, f: 200.33.146.217:53, n: 189.145.71.70:3159
lnd: (51,0), fnd: (0,0)
last used 146258, max_idle: 600
sess[31479]: bkt 35, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3158, f: 200.33.146.197:53, n: 189.145.71.70:3158
lnd: (51,0), fnd: (44,0)
last used 146249, max_idle: 600
sess[31475]: bkt 36, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3153, f: 200.33.146.193:53, n: 189.145.71.70:3153
lnd: (51,0), fnd: (44,0)
last used 146236, max_idle: 600
sess[31474]: bkt 37, flags: 0x000001a1, proto: 17, cnt: 3
l: 192.168.1.100:3152, f: 200.33.150.193:53, n: 189.145.71.70:3152
lnd: (51,0), fnd: (0,0)
last used 146248, max_idle: 600
sess[31485]: bkt 40, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3165, f: 200.33.146.193:53, n: 189.145.71.70:3165
lnd: (51,0), fnd: (44,0)
last used 146339, max_idle: 600
sess[27743]: bkt 44, flags: 0x000001a1, proto: 6, cnt: 38
l: 192.168.1.14:1143, f: 200.67.193.178:443, n: 189.145.71.70:1143
lnd: (51,0), fnd: (44,0)
last used 146324, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 4166600580, sent: 61, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 339118152, sent: 3194, unack'd 0, mss 0, windows_scale 0
sess[30803]: bkt 45, flags: 0x000001a1, proto: 17, cnt: 112
l: 192.168.1.14:1104, f: 200.33.146.193:53, n: 189.145.71.70:1104
lnd: (51,0), fnd: (44,0)
last used 146153, max_idle: 600
sess[31481]: bkt 45, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3160, f: 200.33.148.197:53, n: 189.145.71.70:3160
lnd: (51,0), fnd: (44,0)
last used 146266, max_idle: 600
sess[31483]: bkt 46, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3163, f: 200.33.146.193:53, n: 189.145.71.70:3163
lnd: (51,0), fnd: (44,0)
last used 146329, max_idle: 600
sess[31469]: bkt 50, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3143, f: 200.33.146.193:53, n: 189.145.71.70:3143
lnd: (51,0), fnd: (44,0)
last used 146225, max_idle: 600
sess[31488]: bkt 51, flags: 0x000001a1, proto: 6, cnt: 17
l: 192.168.1.100:3168, f: 200.67.193.178:443, n: 189.145.71.70:3168
lnd: (51,0), fnd: (44,0)
last used 146347, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 444056200, sent: 13, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 4044701604, sent: 8754, unack'd 0, mss 0, windows_scale 0
sess[31493]: bkt 53, flags: 0x00000190, proto: 17, cnt: 2
l: 189.145.71.70:50637, f: 200.33.146.161:53, n: 189.145.71.70:50637
lnd: (0,0), fnd: (44,0)
last used 146458, max_idle: 600
sess[31473]: bkt 58, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3151, f: 200.33.146.193:53, n: 189.145.71.70:3151
lnd: (51,0), fnd: (44,0)
last used 146233, max_idle: 600
sess[31472]: bkt 59, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3150, f: 200.33.146.193:53, n: 189.145.71.70:3150
lnd: (51,0), fnd: (44,0)
last used 146233, max_idle: 600
sess[31471]: bkt 60, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3145, f: 200.33.146.193:53, n: 189.145.71.70:3145
lnd: (51,0), fnd: (44,0)
last used 146225, max_idle: 600
sess[28817]: bkt 61, flags: 0x000001a1, proto: 6, cnt: 33
l: 192.168.1.1:1126, f: 200.67.193.178:443, n: 189.145.71.70:1126
lnd: (51,0), fnd: (44,0)
last used 146324, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 1529363413, sent: 61, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 418762174, sent: 232, unack'd 0, mss 0, windows_scale 0
sess[31470]: bkt 61, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3144, f: 200.33.146.193:53, n: 189.145.71.70:3144
lnd: (51,0), fnd: (44,0)
last used 146225, max_idle: 600
sess[13113]: bkt 66, flags: 0x000001a1, proto: 6, cnt: 15
l: 192.168.1.7:1554, f: 189.180.5.212:2360, n: 189.145.71.70:1554
lnd: (51,0), fnd: (44,0)
last used 80052, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 1927444110, sent: 61, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 1405850903, sent: 53, unack'd 0, mss 0, windows_scale 0
sess[24752]: bkt 68, flags: 0x000001a1, proto: 6, cnt: 2
l: 192.168.1.12:1049, f: 148.243.168.47:80, n: 189.145.71.70:1049
lnd: (51,0), fnd: (44,0)
last used 135826, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 2482657704, sent: 1, unack'd 1, mss 0, windows_scale 0
TCP OUT: is: 2190273841, sent: 1, unack'd 0, mss 0, windows_scale 0
sess[31460]: bkt 80, flags: 0x000001a1, proto: 17, cnt: 6
l: 192.168.1.6:1069, f: 200.33.146.201:53, n: 189.145.71.70:1069
lnd: (51,0), fnd: (44,0)
last used 146474, max_idle: 600
sess[27919]: bkt 86, flags: 0x000001a1, proto: 6, cnt: 50
l: 192.168.1.7:1037, f: 200.67.193.178:443, n: 189.145.71.70:1037
lnd: (51,0), fnd: (44,0)
last used 146324, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 4197381127, sent: 61, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 3524313264, sent: 9053, unack'd 0, mss 0, windows_scale 0
sess[31521]: bkt 104, flags: 0x000001a1, proto: 6, cnt: 10
l: 192.168.1.20:1330, f: 200.67.193.178:443, n: 189.145.71.70:1330
lnd: (51,0), fnd: (44,0)
last used 146537, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 510412075, sent: 13, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 155211006, sent: 3599, unack'd 0, mss 0, windows_scale 0
sess[31256]: bkt 112, flags: 0x000001a1, proto: 6, cnt: 17
l: 192.168.1.20:1322, f: 200.67.193.178:443, n: 189.145.71.70:1322
lnd: (51,0), fnd: (44,0)
last used 146537, max_idle: 15
TCP state CLOSED
TCP IN: is: 2180670025, sent: 19, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 3345836365, sent: 3600, unack'd 0, mss 0, windows_scale 0
sess[12347]: bkt 120, flags: 0x000001a1, proto: 6, cnt: 15
l: 192.168.1.20:1314, f: 200.67.193.178:443, n: 189.145.71.70:1314
lnd: (51,0), fnd: (44,0)
last used 72763, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 938085974, sent: 13, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 2747073795, sent: 3599, unack'd 0, mss 0, windows_scale 0
sess[31281]: bkt 120, flags: 0x000001a1, proto: 17, cnt: 4
l: 192.168.1.3:1029, f: 200.33.146.193:53, n: 189.145.71.70:49531
lnd: (51,0), fnd: (44,0)
last used 146134, max_idle: 600
sess[12062]: bkt 121, flags: 0x000001a1, proto: 6, cnt: 22
l: 192.168.1.100:3881, f: 200.67.193.178:443, n: 189.145.71.70:3881
lnd: (51,0), fnd: (44,0)
last used 72551, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 88711989, sent: 13, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 1576143203, sent: 8750, unack'd 0, mss 0, windows_scale 0
sess[31489]: bkt 121, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.45:1028, f: 200.33.146.201:53, n: 189.145.71.70:1028
lnd: (51,0), fnd: (44,0)
last used 146347, max_idle: 600

Saludos y gracias nuevamente!

From: "Diego Uribe"
Newsgroups: microsoft.public.es.windows.server.redes
Sent: Monday, January 14, 2008 2:46 PM
Subject: Re: Demasiados solicitudes

No se ve nada exageradamente raro

Descarga un programa llamado TCPVIEW y puedes ver la misma información con
el nombre del proceso, de forma gráfica y organizable y se actualiza cada
ciertos segundos.

Como te digo no se ve nada raro.

¿Tienes un Firewall Activo?

Las posibilidades que tienes son 2...

1. Que tu servidor tenga un zombie, gusano, conejo, robot . virus o
software por el estilo que este enviando demasiadas peticiones a uno o
muchos sitios.

2. Si no tienes firewall, y viendo que ldap abierto lo esten atacando.

La sugerencias son:

1. Ejecuta programas como antivirus y antiespias.
2. Instala un firewall y dale permiso unicamente a lo que debe salir.
3. Consulta con el proveedor de internet (ISP) para ver si te envia una
copia del log en el que se apoyan para decirte esto.
4. Revisa que no tengas programas p2p instalados que salgan por esa

conexión

5. A la tarjeta que tiene internet, asegurate de quitarle el uso de

NetBIOS

Espero respuesta a ver que ha pasado. Esperemos tambien que con esta breve
clase de seguridad se pueda hacer algo

Saludos

Diego Uribe

"Joshua" escribió en el mensaje
news:
> Hola a todos, les comento mi inquietud.
>
> hace unos dias mi proveedor de servicio de internet me bloqueo el

servicio

> argumentando que tenia virus uno de mis equipos ya que al parecer ese
> servidor (Windows 2000 Server) esta enviando demasiadas peticiones a la
> red.
> Yo lo estuve monitoreando con netstat -a con un intervalo de 15 seg y

noto

> que hay N cantidad de puertos que esta usando mi server y quiero pensar
> que
> varios de ellos no tendrian por que estar activos.
>
> Quiero pedir su opinion con este tema y para ello, les mando lo que me
> arrojo ese comando una vez ejecutado.
>
> Saludos.
>
>
> Conexiones activas
>
> Proto Dirección local Dirección remota Estado
> TCP MYSERVER:kerberos-sec MYSERVER:0 LISTENING
> TCP MYSERVER:epmap MYSERVER:0 LISTENING
> TCP MYSERVER:ldap MYSERVER:0 LISTENING
> TCP MYSERVER:microsoft-ds MYSERVER:0 LISTENING
> TCP MYSERVER:464 MYSERVER:0 LISTENING
> TCP MYSERVER:593 MYSERVER:0 LISTENING
> TCP MYSERVER:ldaps MYSERVER:0 LISTENING
> TCP MYSERVER:1026 MYSERVER:0 LISTENING
> TCP MYSERVER:1029 MYSERVER:0 LISTENING
> TCP MYSERVER:1041 MYSERVER:0 LISTENING
> TCP MYSERVER:1042 MYSERVER:0 LISTENING
> TCP MYSERVER:1048 MYSERVER:0 LISTENING
> TCP MYSERVER:1060 MYSERVER:0 LISTENING
> TCP MYSERVER:3268 MYSERVER:0 LISTENING
> TCP MYSERVER:3269 MYSERVER:0 LISTENING
> TCP MYSERVER:ldap MYSERVER:1293 ESTABLISHED
> TCP MYSERVER:microsoft-ds MYSERVER:1031 ESTABLISHED
> TCP MYSERVER:1031 MYSERVER:microsoft-ds ESTABLISHED
> TCP MYSERVER:1293 MYSERVER:ldap ESTABLISHED
> TCP MYSERVER:netbios-ssn MYSERVER:0 LISTENING
> TCP MYSERVER:netbios-ssn ALMACENPC:1044 ESTABLISHED
> TCP MYSERVER:ldap MYSERVER:1044 ESTABLISHED
> TCP MYSERVER:ldap MYSERVER:2574 TIME_WAIT
> TCP MYSERVER:ldap MYSERVER:2600 ESTABLISHED
> TCP MYSERVER:ldap MYSERVER:2654 TIME_WAIT
> TCP MYSERVER:ldap MYSERVER:2655 TIME_WAIT
> TCP MYSERVER:ldap MYSERVER:2848 TIME_WAIT
> TCP MYSERVER:1044 MYSERVER:ldap ESTABLISHED
> TCP MYSERVER:2600 MYSERVER:ldap ESTABLISHED
> TCP MYSERVER:2683 MYSERVER:epmap TIME_WAIT
> TCP MYSERVER:2684 MYSERVER:1026 TIME_WAIT
> TCP MYSERVER:2685 MYSERVER:epmap TIME_WAIT
> TCP MYSERVER:2686 MYSERVER:1026 TIME_WAIT
> TCP MYSERVER:2842 MYSERVER:epmap TIME_WAIT
> TCP MYSERVER:2844 MYSERVER:1026 TIME_WAIT
> TCP MYSERVER:2964 MYSERVER:ldap CLOSE_WAIT
> TCP MYSERVER:2968 MYSERVER:ldap CLOSE_WAIT
> UDP MYSERVER:epmap *:*
> UDP MYSERVER:microsoft-ds *:*
> UDP MYSERVER:1028 *:*
> UDP MYSERVER:1038 *:*
> UDP MYSERVER:1043 *:*
> UDP MYSERVER:1047 *:*
> UDP MYSERVER:1062 *:*
> UDP MYSERVER:2026 *:*
> UDP MYSERVER:2847 *:*
> UDP MYSERVER:2959 *:*
> UDP MYSERVER:2963 *:*
> UDP MYSERVER:11050 *:*
> UDP MYSERVER:kerberos-sec *:*
> UDP MYSERVER:ntp *:*
> UDP MYSERVER:netbios-ns *:*
> UDP MYSERVER:netbios-dgm *:*
> UDP MYSERVER:389 *:*
> UDP MYSERVER:464 *:*
> UDP MYSERVER:isakmp *:*
> UDP MYSERVER:4500 *:*
>
> Conexiones activas
>
> Proto Dirección local Dirección remota Estado
> TCP MYSERVER:kerberos-sec MYSERVER:0 LISTENING
> TCP MYSERVER:epmap MYSERVER:0 LISTENING
> TCP MYSERVER:ldap MYSERVER:0 LISTENING
> TCP MYSERVER:microsoft-ds MYSERVER:0 LISTENING
> TCP MYSERVER:464 MYSERVER:0 LISTENING
> TCP MYSERVER:593 MYSERVER:0 LISTENING
> TCP MYSERVER:ldaps MYSERVER:0 LISTENING
> TCP MYSERVER:1026 MYSERVER:0 LISTENING
> TCP MYSERVER:1029 MYSERVER:0 LISTENING
> TCP MYSERVER:1041 MYSERVER:0 LISTENING
> TCP MYSERVER:1042 MYSERVER:0 LISTENING
> TCP MYSERVER:1048 MYSERVER:0 LISTENING
> TCP MYSERVER:1060 MYSERVER:0 LISTENING
> TCP MYSERVER:3268 MYSERVER:0 LISTENING
> TCP MYSERVER:3269 MYSERVER:0 LISTENING
> TCP MYSERVER:ldap MYSERVER:1293 ESTABLISHED
> TCP MYSERVER:microsoft-ds MYSERVER:1031 ESTABLISHED
> TCP MYSERVER:1031 MYSERVER:microsoft-ds ESTABLISHED
> TCP MYSERVER:1293 MYSERVER:ldap ESTABLISHED
> TCP MYSERVER:netbios-ssn MYSERVER:0 LISTENING
> TCP MYSERVER:netbios-ssn ALMACENPC:1044 ESTABLISHED
> TCP MYSERVER:ldap MYSERVER:1044 ESTABLISHED
> TCP MYSERVER:ldap MYSERVER:2574 TIME_WAIT
> TCP MYSERVER:ldap MYSERVER:2600 ESTABLISHED
> TCP MYSERVER:ldap MYSERVER:2654 TIME_WAIT
> TCP MYSERVER:ldap MYSERVER:2655 TIME_WAIT
> TCP MYSERVER:ldap MYSERVER:2848 TIME_WAIT
> TCP MYSERVER:1044 MYSERVER:ldap ESTABLISHED
> TCP MYSERVER:2600 MYSERVER:ldap ESTABLISHED
> TCP MYSERVER:2683 MYSERVER:epmap TIME_WAIT
> TCP MYSERVER:2684 MYSERVER:1026 TIME_WAIT
> TCP MYSERVER:2685 MYSERVER:epmap TIME_WAIT
> TCP MYSERVER:2686 MYSERVER:1026 TIME_WAIT
> TCP MYSERVER:2842 MYSERVER:epmap TIME_WAIT
> TCP MYSERVER:2844 MYSERVER:1026 TIME_WAIT
> TCP MYSERVER:2964 MYSERVER:ldap CLOSE_WAIT
> TCP MYSERVER:2968 MYSERVER:ldap CLOSE_WAIT
> UDP MYSERVER:epmap *:*
> UDP MYSERVER:microsoft-ds *:*
> UDP MYSERVER:1028 *:*
> UDP MYSERVER:1038 *:*
> UDP MYSERVER:1043 *:*
> UDP MYSERVER:1047 *:*
> UDP MYSERVER:1062 *:*
> UDP MYSERVER:2026 *:*
> UDP MYSERVER:2847 *:*
> UDP MYSERVER:2959 *:*
> UDP MYSERVER:2963 *:*
> UDP MYSERVER:11050 *:*
> UDP MYSERVER:kerberos-sec *:*
> UDP MYSERVER:ntp *:*
> UDP MYSERVER:netbios-ns *:*
> UDP MYSERVER:netbios-dgm *:*
> UDP MYSERVER:389 *:*
> UDP MYSERVER:464 *:*
> UDP MYSERVER:isakmp *:*
> UDP MYSERVER:4500 *:*
>
>

Responder a este mensaje

#3 Diego Uribe

25/01/2008 - 15:30 | Informe spam

Cambia de proveedor.

No tienes virus ni nada.
a menos que con el bloqueo haya frenado el ataque !

"Joshua" escribió en el mensaje
news:%

Gracias diego, por tus comentarios, te comento que si tengo un firewall
activo que es el miso del model dsl 2wire, de infinitum de telmex.

Escanee el servidor por si estuviera infectado por algun virus o cualquer
otra sw indeseable y no me encontro gran cosa, (uso nod32), tambien pase
un
programa para buscar spyware (lavasoft) y fuera de cokies que detecta como
spyware no hay alguna otra cosa.

Y bueno, con respecto al log que mi proveedor me pudiera mandar, me
comento
que lo podia ver directamente en el modem y pues aqqui lo pongo por si de
algo sirve:

sess[25462]: bkt 9, flags: 0x000001a1, proto: 6, cnt: 7
l: 192.168.1.11:1207, f: 209.85.141.176:80, n: 189.145.71.70:1207
lnd: (51,0), fnd: (44,0)
last used 136841, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 878658983, sent: 1, unack'd 1, mss 0, windows_scale 0
TCP OUT: is: 1261275760, sent: 1, unack'd 0, mss 0, windows_scale 0
sess[25459]: bkt 10, flags: 0x000001a1, proto: 6, cnt: 7
l: 192.168.1.11:1204, f: 209.85.141.176:80, n: 189.145.71.70:1204
lnd: (51,0), fnd: (44,0)
last used 136841, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 867876424, sent: 1, unack'd 1, mss 0, windows_scale 0
TCP OUT: is: 515712675, sent: 1, unack'd 0, mss 0, windows_scale 0
sess[25460]: bkt 11, flags: 0x000001a1, proto: 6, cnt: 7
l: 192.168.1.11:1205, f: 209.85.141.176:80, n: 189.145.71.70:1205
lnd: (51,0), fnd: (44,0)
last used 136841, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 3082783921, sent: 1, unack'd 1, mss 0, windows_scale 0
TCP OUT: is: 1911503724, sent: 1, unack'd 0, mss 0, windows_scale 0
sess[12056]: bkt 16, flags: 0x000001a1, proto: 6, cnt: 19
l: 192.168.1.13:1354, f: 200.67.193.178:443, n: 189.145.71.70:1354
lnd: (51,0), fnd: (44,0)
last used 72460, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 3616575974, sent: 13, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 1246536105, sent: 4954, unack'd 0, mss 0, windows_scale 0
sess[31491]: bkt 18, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3175, f: 200.33.146.193:53, n: 189.145.71.70:3175
lnd: (51,0), fnd: (44,0)
last used 146420, max_idle: 600
sess[31487]: bkt 20, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3169, f: 200.33.146.193:53, n: 189.145.71.70:3169
lnd: (51,0), fnd: (44,0)
last used 146345, max_idle: 600
sess[31505]: bkt 20, flags: 0x000001a1, proto: 6, cnt: 23
l: 192.168.1.6:2059, f: 12.37.74.8:80, n: 189.145.71.70:2059
lnd: (51,0), fnd: (44,0)
last used 146537, max_idle: 15
TCP state CLOSED
TCP IN: is: 956996218, sent: 15226, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 147220921, sent: 305, unack'd 0, mss 0, windows_scale 0
sess[31513]: bkt 25, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3180, f: 200.33.146.193:53, n: 189.145.71.70:3180
lnd: (51,0), fnd: (44,0)
last used 146479, max_idle: 600
sess[31515]: bkt 27, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3182, f: 200.33.146.193:53, n: 189.145.71.70:3182
lnd: (51,0), fnd: (44,0)
last used 146480, max_idle: 600
sess[27744]: bkt 31, flags: 0x000001a1, proto: 6, cnt: 49
l: 192.168.1.3:1092, f: 200.67.193.178:443, n: 189.145.71.70:1092
lnd: (51,0), fnd: (44,0)
last used 146324, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 367580243, sent: 61, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 2005190366, sent: 13991, unack'd 0, mss 0, windows_scale 0
sess[31494]: bkt 31, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3178, f: 200.33.146.193:53, n: 189.145.71.70:3178
lnd: (51,0), fnd: (44,0)
last used 146465, max_idle: 600
sess[31478]: bkt 32, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3157, f: 200.23.242.197:53, n: 189.145.71.70:3157
lnd: (51,0), fnd: (44,0)
last used 146249, max_idle: 600
sess[31477]: bkt 33, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3156, f: 200.33.146.193:53, n: 189.145.71.70:3156
lnd: (51,0), fnd: (44,0)
last used 146248, max_idle: 600
sess[31480]: bkt 34, flags: 0x000001a1, proto: 17, cnt: 5
l: 192.168.1.100:3159, f: 200.33.146.217:53, n: 189.145.71.70:3159
lnd: (51,0), fnd: (0,0)
last used 146258, max_idle: 600
sess[31479]: bkt 35, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3158, f: 200.33.146.197:53, n: 189.145.71.70:3158
lnd: (51,0), fnd: (44,0)
last used 146249, max_idle: 600
sess[31475]: bkt 36, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3153, f: 200.33.146.193:53, n: 189.145.71.70:3153
lnd: (51,0), fnd: (44,0)
last used 146236, max_idle: 600
sess[31474]: bkt 37, flags: 0x000001a1, proto: 17, cnt: 3
l: 192.168.1.100:3152, f: 200.33.150.193:53, n: 189.145.71.70:3152
lnd: (51,0), fnd: (0,0)
last used 146248, max_idle: 600
sess[31485]: bkt 40, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3165, f: 200.33.146.193:53, n: 189.145.71.70:3165
lnd: (51,0), fnd: (44,0)
last used 146339, max_idle: 600
sess[27743]: bkt 44, flags: 0x000001a1, proto: 6, cnt: 38
l: 192.168.1.14:1143, f: 200.67.193.178:443, n: 189.145.71.70:1143
lnd: (51,0), fnd: (44,0)
last used 146324, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 4166600580, sent: 61, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 339118152, sent: 3194, unack'd 0, mss 0, windows_scale 0
sess[30803]: bkt 45, flags: 0x000001a1, proto: 17, cnt: 112
l: 192.168.1.14:1104, f: 200.33.146.193:53, n: 189.145.71.70:1104
lnd: (51,0), fnd: (44,0)
last used 146153, max_idle: 600
sess[31481]: bkt 45, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3160, f: 200.33.148.197:53, n: 189.145.71.70:3160
lnd: (51,0), fnd: (44,0)
last used 146266, max_idle: 600
sess[31483]: bkt 46, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3163, f: 200.33.146.193:53, n: 189.145.71.70:3163
lnd: (51,0), fnd: (44,0)
last used 146329, max_idle: 600
sess[31469]: bkt 50, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3143, f: 200.33.146.193:53, n: 189.145.71.70:3143
lnd: (51,0), fnd: (44,0)
last used 146225, max_idle: 600
sess[31488]: bkt 51, flags: 0x000001a1, proto: 6, cnt: 17
l: 192.168.1.100:3168, f: 200.67.193.178:443, n: 189.145.71.70:3168
lnd: (51,0), fnd: (44,0)
last used 146347, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 444056200, sent: 13, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 4044701604, sent: 8754, unack'd 0, mss 0, windows_scale 0
sess[31493]: bkt 53, flags: 0x00000190, proto: 17, cnt: 2
l: 189.145.71.70:50637, f: 200.33.146.161:53, n: 189.145.71.70:50637
lnd: (0,0), fnd: (44,0)
last used 146458, max_idle: 600
sess[31473]: bkt 58, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3151, f: 200.33.146.193:53, n: 189.145.71.70:3151
lnd: (51,0), fnd: (44,0)
last used 146233, max_idle: 600
sess[31472]: bkt 59, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3150, f: 200.33.146.193:53, n: 189.145.71.70:3150
lnd: (51,0), fnd: (44,0)
last used 146233, max_idle: 600
sess[31471]: bkt 60, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3145, f: 200.33.146.193:53, n: 189.145.71.70:3145
lnd: (51,0), fnd: (44,0)
last used 146225, max_idle: 600
sess[28817]: bkt 61, flags: 0x000001a1, proto: 6, cnt: 33
l: 192.168.1.1:1126, f: 200.67.193.178:443, n: 189.145.71.70:1126
lnd: (51,0), fnd: (44,0)
last used 146324, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 1529363413, sent: 61, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 418762174, sent: 232, unack'd 0, mss 0, windows_scale 0
sess[31470]: bkt 61, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.100:3144, f: 200.33.146.193:53, n: 189.145.71.70:3144
lnd: (51,0), fnd: (44,0)
last used 146225, max_idle: 600
sess[13113]: bkt 66, flags: 0x000001a1, proto: 6, cnt: 15
l: 192.168.1.7:1554, f: 189.180.5.212:2360, n: 189.145.71.70:1554
lnd: (51,0), fnd: (44,0)
last used 80052, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 1927444110, sent: 61, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 1405850903, sent: 53, unack'd 0, mss 0, windows_scale 0
sess[24752]: bkt 68, flags: 0x000001a1, proto: 6, cnt: 2
l: 192.168.1.12:1049, f: 148.243.168.47:80, n: 189.145.71.70:1049
lnd: (51,0), fnd: (44,0)
last used 135826, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 2482657704, sent: 1, unack'd 1, mss 0, windows_scale 0
TCP OUT: is: 2190273841, sent: 1, unack'd 0, mss 0, windows_scale 0
sess[31460]: bkt 80, flags: 0x000001a1, proto: 17, cnt: 6
l: 192.168.1.6:1069, f: 200.33.146.201:53, n: 189.145.71.70:1069
lnd: (51,0), fnd: (44,0)
last used 146474, max_idle: 600
sess[27919]: bkt 86, flags: 0x000001a1, proto: 6, cnt: 50
l: 192.168.1.7:1037, f: 200.67.193.178:443, n: 189.145.71.70:1037
lnd: (51,0), fnd: (44,0)
last used 146324, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 4197381127, sent: 61, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 3524313264, sent: 9053, unack'd 0, mss 0, windows_scale 0
sess[31521]: bkt 104, flags: 0x000001a1, proto: 6, cnt: 10
l: 192.168.1.20:1330, f: 200.67.193.178:443, n: 189.145.71.70:1330
lnd: (51,0), fnd: (44,0)
last used 146537, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 510412075, sent: 13, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 155211006, sent: 3599, unack'd 0, mss 0, windows_scale 0
sess[31256]: bkt 112, flags: 0x000001a1, proto: 6, cnt: 17
l: 192.168.1.20:1322, f: 200.67.193.178:443, n: 189.145.71.70:1322
lnd: (51,0), fnd: (44,0)
last used 146537, max_idle: 15
TCP state CLOSED
TCP IN: is: 2180670025, sent: 19, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 3345836365, sent: 3600, unack'd 0, mss 0, windows_scale 0
sess[12347]: bkt 120, flags: 0x000001a1, proto: 6, cnt: 15
l: 192.168.1.20:1314, f: 200.67.193.178:443, n: 189.145.71.70:1314
lnd: (51,0), fnd: (44,0)
last used 72763, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 938085974, sent: 13, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 2747073795, sent: 3599, unack'd 0, mss 0, windows_scale 0
sess[31281]: bkt 120, flags: 0x000001a1, proto: 17, cnt: 4
l: 192.168.1.3:1029, f: 200.33.146.193:53, n: 189.145.71.70:49531
lnd: (51,0), fnd: (44,0)
last used 146134, max_idle: 600
sess[12062]: bkt 121, flags: 0x000001a1, proto: 6, cnt: 22
l: 192.168.1.100:3881, f: 200.67.193.178:443, n: 189.145.71.70:3881
lnd: (51,0), fnd: (44,0)
last used 72551, max_idle: 86400
TCP state ESTABLISHED
TCP IN: is: 88711989, sent: 13, unack'd 0, mss 0, windows_scale 0
TCP OUT: is: 1576143203, sent: 8750, unack'd 0, mss 0, windows_scale 0
sess[31489]: bkt 121, flags: 0x000001a1, proto: 17, cnt: 2
l: 192.168.1.45:1028, f: 200.33.146.201:53, n: 189.145.71.70:1028
lnd: (51,0), fnd: (44,0)
last used 146347, max_idle: 600

Saludos y gracias nuevamente!

From: "Diego Uribe"
Newsgroups: microsoft.public.es.windows.server.redes
Sent: Monday, January 14, 2008 2:46 PM
Subject: Re: Demasiados solicitudes

No se ve nada exageradamente raro

Descarga un programa llamado TCPVIEW y puedes ver la misma información
con
el nombre del proceso, de forma gráfica y organizable y se actualiza cada
ciertos segundos.

Como te digo no se ve nada raro.

¿Tienes un Firewall Activo?

Las posibilidades que tienes son 2...

1. Que tu servidor tenga un zombie, gusano, conejo, robot . virus o
software por el estilo que este enviando demasiadas peticiones a uno o
muchos sitios.

2. Si no tienes firewall, y viendo que ldap abierto lo esten
atacando.

La sugerencias son:

1. Ejecuta programas como antivirus y antiespias.
2. Instala un firewall y dale permiso unicamente a lo que debe salir.
3. Consulta con el proveedor de internet (ISP) para ver si te envia una
copia del log en el que se apoyan para decirte esto.
4. Revisa que no tengas programas p2p instalados que salgan por esa

conexión

5. A la tarjeta que tiene internet, asegurate de quitarle el uso de

NetBIOS

Espero respuesta a ver que ha pasado. Esperemos tambien que con esta
breve
clase de seguridad se pueda hacer algo

Saludos

Diego Uribe

"Joshua" escribió en el mensaje
news:
> Hola a todos, les comento mi inquietud.
>
> hace unos dias mi proveedor de servicio de internet me bloqueo el

servicio

> argumentando que tenia virus uno de mis equipos ya que al parecer ese
> servidor (Windows 2000 Server) esta enviando demasiadas peticiones a la
> red.
> Yo lo estuve monitoreando con netstat -a con un intervalo de 15 seg y

noto

> que hay N cantidad de puertos que esta usando mi server y quiero pensar
> que
> varios de ellos no tendrian por que estar activos.
>
> Quiero pedir su opinion con este tema y para ello, les mando lo que me
> arrojo ese comando una vez ejecutado.
>
> Saludos.
>
>
> Conexiones activas
>
> Proto Dirección local Dirección remota Estado
> TCP MYSERVER:kerberos-sec MYSERVER:0 LISTENING
> TCP MYSERVER:epmap MYSERVER:0 LISTENING
> TCP MYSERVER:ldap MYSERVER:0 LISTENING
> TCP MYSERVER:microsoft-ds MYSERVER:0 LISTENING
> TCP MYSERVER:464 MYSERVER:0 LISTENING
> TCP MYSERVER:593 MYSERVER:0 LISTENING
> TCP MYSERVER:ldaps MYSERVER:0 LISTENING
> TCP MYSERVER:1026 MYSERVER:0 LISTENING
> TCP MYSERVER:1029 MYSERVER:0 LISTENING
> TCP MYSERVER:1041 MYSERVER:0 LISTENING
> TCP MYSERVER:1042 MYSERVER:0 LISTENING
> TCP MYSERVER:1048 MYSERVER:0 LISTENING
> TCP MYSERVER:1060 MYSERVER:0 LISTENING
> TCP MYSERVER:3268 MYSERVER:0 LISTENING
> TCP MYSERVER:3269 MYSERVER:0 LISTENING
> TCP MYSERVER:ldap MYSERVER:1293 ESTABLISHED
> TCP MYSERVER:microsoft-ds MYSERVER:1031 ESTABLISHED
> TCP MYSERVER:1031 MYSERVER:microsoft-ds ESTABLISHED
> TCP MYSERVER:1293 MYSERVER:ldap ESTABLISHED
> TCP MYSERVER:netbios-ssn MYSERVER:0 LISTENING
> TCP MYSERVER:netbios-ssn ALMACENPC:1044 ESTABLISHED
> TCP MYSERVER:ldap MYSERVER:1044 ESTABLISHED
> TCP MYSERVER:ldap MYSERVER:2574 TIME_WAIT
> TCP MYSERVER:ldap MYSERVER:2600 ESTABLISHED
> TCP MYSERVER:ldap MYSERVER:2654 TIME_WAIT
> TCP MYSERVER:ldap MYSERVER:2655 TIME_WAIT
> TCP MYSERVER:ldap MYSERVER:2848 TIME_WAIT
> TCP MYSERVER:1044 MYSERVER:ldap ESTABLISHED
> TCP MYSERVER:2600 MYSERVER:ldap ESTABLISHED
> TCP MYSERVER:2683 MYSERVER:epmap TIME_WAIT
> TCP MYSERVER:2684 MYSERVER:1026 TIME_WAIT
> TCP MYSERVER:2685 MYSERVER:epmap TIME_WAIT
> TCP MYSERVER:2686 MYSERVER:1026 TIME_WAIT
> TCP MYSERVER:2842 MYSERVER:epmap TIME_WAIT
> TCP MYSERVER:2844 MYSERVER:1026 TIME_WAIT
> TCP MYSERVER:2964 MYSERVER:ldap CLOSE_WAIT
> TCP MYSERVER:2968 MYSERVER:ldap CLOSE_WAIT
> UDP MYSERVER:epmap *:*
> UDP MYSERVER:microsoft-ds *:*
> UDP MYSERVER:1028 *:*
> UDP MYSERVER:1038 *:*
> UDP MYSERVER:1043 *:*
> UDP MYSERVER:1047 *:*
> UDP MYSERVER:1062 *:*
> UDP MYSERVER:2026 *:*
> UDP MYSERVER:2847 *:*
> UDP MYSERVER:2959 *:*
> UDP MYSERVER:2963 *:*
> UDP MYSERVER:11050 *:*
> UDP MYSERVER:kerberos-sec *:*
> UDP MYSERVER:ntp *:*
> UDP MYSERVER:netbios-ns *:*
> UDP MYSERVER:netbios-dgm *:*
> UDP MYSERVER:389 *:*
> UDP MYSERVER:464 *:*
> UDP MYSERVER:isakmp *:*
> UDP MYSERVER:4500 *:*
>
> Conexiones activas
>
> Proto Dirección local Dirección remota Estado
> TCP MYSERVER:kerberos-sec MYSERVER:0 LISTENING
> TCP MYSERVER:epmap MYSERVER:0 LISTENING
> TCP MYSERVER:ldap MYSERVER:0 LISTENING
> TCP MYSERVER:microsoft-ds MYSERVER:0 LISTENING
> TCP MYSERVER:464 MYSERVER:0 LISTENING
> TCP MYSERVER:593 MYSERVER:0 LISTENING
> TCP MYSERVER:ldaps MYSERVER:0 LISTENING
> TCP MYSERVER:1026 MYSERVER:0 LISTENING
> TCP MYSERVER:1029 MYSERVER:0 LISTENING
> TCP MYSERVER:1041 MYSERVER:0 LISTENING
> TCP MYSERVER:1042 MYSERVER:0 LISTENING
> TCP MYSERVER:1048 MYSERVER:0 LISTENING
> TCP MYSERVER:1060 MYSERVER:0 LISTENING
> TCP MYSERVER:3268 MYSERVER:0 LISTENING
> TCP MYSERVER:3269 MYSERVER:0 LISTENING
> TCP MYSERVER:ldap MYSERVER:1293 ESTABLISHED
> TCP MYSERVER:microsoft-ds MYSERVER:1031 ESTABLISHED
> TCP MYSERVER:1031 MYSERVER:microsoft-ds ESTABLISHED
> TCP MYSERVER:1293 MYSERVER:ldap ESTABLISHED
> TCP MYSERVER:netbios-ssn MYSERVER:0 LISTENING
> TCP MYSERVER:netbios-ssn ALMACENPC:1044 ESTABLISHED
> TCP MYSERVER:ldap MYSERVER:1044 ESTABLISHED
> TCP MYSERVER:ldap MYSERVER:2574 TIME_WAIT
> TCP MYSERVER:ldap MYSERVER:2600 ESTABLISHED
> TCP MYSERVER:ldap MYSERVER:2654 TIME_WAIT
> TCP MYSERVER:ldap MYSERVER:2655 TIME_WAIT
> TCP MYSERVER:ldap MYSERVER:2848 TIME_WAIT
> TCP MYSERVER:1044 MYSERVER:ldap ESTABLISHED
> TCP MYSERVER:2600 MYSERVER:ldap ESTABLISHED
> TCP MYSERVER:2683 MYSERVER:epmap TIME_WAIT
> TCP MYSERVER:2684 MYSERVER:1026 TIME_WAIT
> TCP MYSERVER:2685 MYSERVER:epmap TIME_WAIT
> TCP MYSERVER:2686 MYSERVER:1026 TIME_WAIT
> TCP MYSERVER:2842 MYSERVER:epmap TIME_WAIT
> TCP MYSERVER:2844 MYSERVER:1026 TIME_WAIT
> TCP MYSERVER:2964 MYSERVER:ldap CLOSE_WAIT
> TCP MYSERVER:2968 MYSERVER:ldap CLOSE_WAIT
> UDP MYSERVER:epmap *:*
> UDP MYSERVER:microsoft-ds *:*
> UDP MYSERVER:1028 *:*
> UDP MYSERVER:1038 *:*
> UDP MYSERVER:1043 *:*
> UDP MYSERVER:1047 *:*
> UDP MYSERVER:1062 *:*
> UDP MYSERVER:2026 *:*
> UDP MYSERVER:2847 *:*
> UDP MYSERVER:2959 *:*
> UDP MYSERVER:2963 *:*
> UDP MYSERVER:11050 *:*
> UDP MYSERVER:kerberos-sec *:*
> UDP MYSERVER:ntp *:*
> UDP MYSERVER:netbios-ns *:*
> UDP MYSERVER:netbios-dgm *:*
> UDP MYSERVER:389 *:*
> UDP MYSERVER:464 *:*
> UDP MYSERVER:isakmp *:*
> UDP MYSERVER:4500 *:*
>
>

Siga el debate Respuesta

Responder a este mensaje

Ads by Google

Hacer una pregunta

Tengo una respuesta

Busqueda sugerida