Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Andrzejek on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

TCP Packet Flooding

Status
Not open for further replies.
Pronet

Pronet

IS-IT--Management
Oct 7, 2002
19
US
On one of our Windows 2000 servers we are having a big problem with it sending out Thousands of TCP packets every second and flooding the network.

This server, has been running fine for about 18 mo
nths, then all of a sudden this started. Once we reboot it it will run for anywhere between 45 minutes and 8 hours before it starts again.

I have ran virus scan and it did not detect a virus. I have used TCPView and have found that the process is starting for SYSTEM:8 when I try to query the process TCPView responed "query not available".

All updates and service packs have been applied. I have checked for unusual services and checked the registry under "run" for anything that does not belong there. This flooding is shutting down our server and gateway router. The server is sending out the tcp packets to a wide range of public IP Addresses. How do I stop the server from doing this, if I do not know what the worm or trojan horse is causing this? Please Help!!
 
Sort by date Sort by votes
Hi!
I've had this before with a bad Network Card which was flooding the network with broadcasts.
Can you capture the packets which this server is sending and post here a couple of them? (Probably the easiest tool availbale is the Network Monitoring Tools which come with W2k or you can have a look at Ethereal)
If you have a spare Network Card you can try to disable/replace temporary the one which is broadcasting.

NetoMeter



 
Upvote 0 Downvote
Our server is flooding our network by sending many tcp packets to public addresses . They are SYN_Sent packets that await an acknowlegment "ack". At times if you issue a netstat -an command you can see some of these IP Addresses as being established to our server. The latest IP addresses that our server is communicating with is 66.66.66.66.
 
Upvote 0 Downvote
I have this issue before with Veritas BE ver 9 and Cisco 1702 router, that's why I'm still on 8.6 :(
 
Upvote 0 Downvote
The address in question is from roadrunner in Virginia, which has caused me much grief in the past from hijacking. It sounds like the system is a robot and is being used. I would strongly suggest you take it offline and use a different antivirus program to scan the system. WHile the net card may still be a problem, the fact that it uses a specific address smells of trojan infection or a spyware infection.

I would install and run CWShredder.exe, then SPYBOT Search and Destroy, then AdAware software, in that order, to scan your systems to see what spyware garbage is on the system. You find all these free programs using Google to find cwshredder and SpyBot S&D web sites. AdAware is available free from (note: it is .de, NOT .com). Make sure you get the latest version of all three tools. SpyBot S&D, with the latest update finds over 15,000 items to check.

Let us know what you find.

HTH

David
 
Upvote 0 Downvote
Found wintask.exe in the registry with Trojan Remover. Hope this is the problem. Will know by tommorrow. Thanks for all the help..
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

acl03
  • Locked
  • Question
TCP Dynamic Ports for AD
Replies
0
Views
41
acl03
acl03
Parmb
  • Locked
  • Question
TCP/IP Connectivity Issue
Replies
1
Views
45
rsacorp
rsacorp
jr8rdt
  • Locked
  • Question
QOS Packet Scheduler and windows server 2008
Replies
1
Views
31
rsacorp
rsacorp
Hondy
  • Locked
  • Question
TCP Connection status monitor?
Replies
3
Views
49
itsp1965
itsp1965
ravashaak
  • Locked
  • Question
TCP/IP Properties GUI and ipconfig do not match
Replies
3
Views
68
GrimR
GrimR

Part and Inventory Search

Sponsor

Back
Top