Hello All:
Don't know where else to post this so i am hoping someone here might have
some info. Early this afternoon, we noticed a spike in our bandwidth. A
closer look show one of our web servers in the DMZ as the culprit. Looking
at the connections to this server, I found hundreds of connections to a
process ...schost.exe on port 1429 connecting to distant machines aall
running mysql.
This is obviously some sort of worm or DOS launched from or against my box
and I am just trying to find come information on it. The server is running
windows 2000, IIS5.0, PHP4.83 ...is up to date on all patches and running
NAV CORP edition with latest Defs.
I need to find out how this worm got dropped and a little more information
on it and am coming up blank so far. Any information would be appreciated.
ThanksAre you absolutely sure it is "schost.exe"? My guess is that it is
"svchost.exe", so if you searched for information about "schost.exe", but it
is it is "svchost.exe", then you would not find anything useful.
If it is "svchost.exe", the search the technet for "svchost" to get a
general understanding of what it is.
"JS" <no@.spam.com> wrote in message
news:uSeMDbuIGHA.3176@.TK2MSFTNGP12.phx.gbl...
> Hello All:
> Don't know where else to post this so i am hoping someone here might have
> some info. Early this afternoon, we noticed a spike in our bandwidth. A
> closer look show one of our web servers in the DMZ as the culprit. Looking
> at the connections to this server, I found hundreds of connections to a
> process ...schost.exe on port 1429 connecting to distant machines aall
> running mysql.
> This is obviously some sort of worm or DOS launched from or against my box
> and I am just trying to find come information on it. The server is running
> windows 2000, IIS5.0, PHP4.83 ...is up to date on all patches and running
> NAV CORP edition with latest Defs.
> I need to find out how this worm got dropped and a little more information
> on it and am coming up blank so far. Any information would be appreciated.
> Thanks
>|||On Thu, 26 Jan 2006 21:09:51 -0500, "JS" <no@.spam.com> wrote:
in <uSeMDbuIGHA.3176@.TK2MSFTNGP12.phx.gbl>
>This is obviously some sort of worm or DOS launched from or against my box
>and I am just trying to find come information on it. The server is running
>windows 2000, IIS5.0, PHP4.83 ...is up to date on all patches and running
>NAV CORP edition with latest Defs.
There's your problem right there - NAV CORP.
Stefan Berglund|||And your experience/issues with NAV in an enterprise environment that lead
you to this statement? I'd be very interested in hearing what your
experiences/suggestions are, but to bash a product without explination is
of little value in resolving the issues contained in my post.
Thanks
"Stefan Berglund" <keepit@.in.thegroups> wrote in message
news:50okt1hmv8pkiv08p55srg3ebbo006t7df@.
4ax.com...
> On Thu, 26 Jan 2006 21:09:51 -0500, "JS" <no@.spam.com> wrote:
> in <uSeMDbuIGHA.3176@.TK2MSFTNGP12.phx.gbl>
>
> There's your problem right there - NAV CORP.
> --
> Stefan Berglund|||yes
"Sam Hobbs" <samuel@.social.rr.com_change_social_to_socal> wrote in message
news:ejMm9axIGHA.2668@.tk2msftngp13.phx.gbl...
> Are you absolutely sure it is "schost.exe"? My guess is that it is
> "svchost.exe", so if you searched for information about "schost.exe", but
> it is it is "svchost.exe", then you would not find anything useful.
> If it is "svchost.exe", the search the technet for "svchost" to get a
> general understanding of what it is.
>
> "JS" <no@.spam.com> wrote in message
> news:uSeMDbuIGHA.3176@.TK2MSFTNGP12.phx.gbl...
>|||On Sat, 28 Jan 2006 07:19:38 -0500, "JS" <no@.spam.com> wrote:
in <eK0qdUAJGHA.3696@.TK2MSFTNGP15.phx.gbl>
>And your experience/issues with NAV in an enterprise environment that lead
>you to this statement? I'd be very interested in hearing what your
>experiences/suggestions are, but to bash a product without explination is
>of little value in resolving the issues contained in my post.
I gave you the answer to your problem based on my own personal experiences.
It's
overly bloated with a large footprint. I removed it from all systems under
my
control over five years ago after I watched an insidious trojan (Dark Angel)
on
a client's box repeatedly disable NAV upon reboot. Both NAV and ZoneAlarm
firewall are worthless in my opinion.
I switched to AVG which runs alongside IIS and SQL Server with absolutely no
problems - not to mention the fact that AVG actually does the job it's inten
ded
to do.
Stefan Berglund|||Then you probably did not search the internet for "schost". I did and got
plenyt of results. Except for the ones about ric Schost, all results I see
say that it is a trojan/virus. If that is what is in your system, then by
searching the internet, you could have found the many descriptions of it
faster than posting in a newsgroup.
"JS" <no@.spam.com> wrote in message
news:OAH3wUAJGHA.2320@.TK2MSFTNGP11.phx.gbl...[vbcol=seagreen]
> yes
> "Sam Hobbs" <samuel@.social.rr.com_change_social_to_socal> wrote in message
> news:ejMm9axIGHA.2668@.tk2msftngp13.phx.gbl...|||What is your ^&** problem. Do you cruise newsgroups allday to rag on people.
Get a %&*^( life already. You don't like my posts, then by all
means...don't respond to them.. !!!!!
"Sam Hobbs" <samuel@.social.rr.com_change_social_to_socal> wrote in message
news:eHFWkYQJGHA.208@.tk2msftngp13.phx.gbl...
> Then you probably did not search the internet for "schost". I did and got
> plenyt of results. Except for the ones about ric Schost, all results I
see
> say that it is a trojan/virus. If that is what is in your system, then by
> searching the internet, you could have found the many descriptions of it
> faster than posting in a newsgroup.
>
> "JS" <no@.spam.com> wrote in message
> news:OAH3wUAJGHA.2320@.TK2MSFTNGP11.phx.gbl...
message[vbcol=seagreen]
>|||Up to now, we've had really no problem with NAV but I guess there is always
a first. I inherited this product from a previous admin and up to now, had
really no reason to think about changing av vendors.
Thanks for the input.
"Stefan Berglund" <keepit@.in.thegroups> wrote in message
news:83jnt15q51rnhqoa9nch8b5cqsjer9qrht@.
4ax.com...
> On Sat, 28 Jan 2006 07:19:38 -0500, "JS" <no@.spam.com> wrote:
> in <eK0qdUAJGHA.3696@.TK2MSFTNGP15.phx.gbl>
>
lead[vbcol=seagreen]
is[vbcol=seagreen]
> I gave you the answer to your problem based on my own personal
experiences. It's
> overly bloated with a large footprint. I removed it from all systems
under my
> control over five years ago after I watched an insidious trojan (Dark
Angel) on
> a client's box repeatedly disable NAV upon reboot. Both NAV and ZoneAlarm
> firewall are worthless in my opinion.
> I switched to AVG which runs alongside IIS and SQL Server with absolutely
no
> problems - not to mention the fact that AVG actually does the job it's
intended
> to do.
> --
> Stefan Berglund|||When I set these up, its always in multiple layers. Scanners for the
network, scanners at the firewall, scanners on all machines. Where
possible, I also don't use the same vendor at each level. The reason for
this is very simple. Each vendor has varying response times to a new virus
outbreak. By using different vendors, I'm hedging my bets on catching
everything.
Mike
http://www.solidqualitylearning.com
Disclaimer: This communication is an original work and represents my sole
views on the subject. It does not represent the views of any other person
or entity either by inference or direct reference.
"JS" <no@.spam.com> wrote in message
news:ewBm9DaJGHA.2912@.tk2msftngp13.phx.gbl...
> Up to now, we've had really no problem with NAV but I guess there is
> always
> a first. I inherited this product from a previous admin and up to now, had
> really no reason to think about changing av vendors.
> Thanks for the input.
>
>
> "Stefan Berglund" <keepit@.in.thegroups> wrote in message
> news:83jnt15q51rnhqoa9nch8b5cqsjer9qrht@.
4ax.com...
> lead
> is
> experiences. It's
> under my
> Angel) on
> no
> intended
>
No comments:
Post a Comment