Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

netstat -a question

6 views
Skip to first unread message

stan

unread,
Apr 9, 2004, 9:33:28 PM4/9/04
to
Hello All:

Running netstat -a on a web server and seeing

micorsoft-ds witha n etxternal ip here. This indicative of a hack?? Or
at least someone querying directory services. If so, what port can they
utilize, netbios??

Thanks


Steven L Umbach

unread,
Apr 10, 2004, 8:31:23 AM4/10/04
to
That would be port 445 used for file and print sharing [netstat -an will
show port numbers]. That does not sound good. You can use Computer
Management/shared folders - sessions to try to see where that address is
connecting. It is not a good idea to have file and print sharing enabled on
a web server, particularly on the adapter exposed to the internet, so you
may want to check that it is disabled and check your firewall settings to
make sure you are not exposing uneeded ports to the internet ideally by
scanning your network from the outside with something like Superscan or if
you can not do that right away use one of the self scan sites such as
http://scan.sygatetech.com/. Also enable autiting of logon events on that
server being sure to increase the size of the security log from default and
be sure to run the IIS Lockdown tool, but only after having a full backup
including the System State and saving your IIS configuration via the IIS
Management Console. --- Steve

http://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asp
http://www.microsoft.com/technet/security/prodtech/iis/default.mspx --- TechNet
IIS security page


"stan" <n...@email.com> wrote in message
news:ONb6ikpH...@TK2MSFTNGP12.phx.gbl...

Terry Liu [MSFT]

unread,
Apr 12, 2004, 12:53:20 AM4/12/04
to
Hi,

It seems like the (Microsoft-DS) is communicating with an external port.
Regarding the issue, I suggest you refer to the steps below:

1. Use netstat -a -n to confirm the IP and its ports.
2. Determine which the external IP is and contact your ISP for more
information.
3. Check your firewall settings and apply the newest critical updates from
Windows Update sites.
4. Check the event log to get more information.

Please take a look at http://www.iana.org/assignments/port-numbers

microsoft-ds 445/tcp Microsoft-DS
microsoft-ds 445/udp Microsoft-DS

So, port 445 is SMB over IP (Microsoft-DS) 445/tcp, 445/udp. It is used by
DFS, Active Directory.

The Distributed File System (DFS) service manages logical volumes that are
distributed across a local area network (LAN) or wide area network (WAN)
and is required for the Microsoft Active Directory directory service SYSVOL
share. DFS is a distributed service that integrates disparate file shares
into a single logical namespace.

System service name: "Dfs"

+====================================+==========+===========================
=+
| Application protocol | Protocol | Ports
|
+====================================+==========+===========================
=+
| NetBIOS Datagram Service | UDP | 138
|
+====================================+==========+===========================
=+
| NetBIOS Session Service | TCP | 139
|
+====================================+==========+===========================
=+
| LDAP Server | TCP | 389
|
+====================================+==========+===========================
=+
| LDAP Server | UDP | 389
|
+====================================+==========+===========================
=+
| SMB | TCP | 445
|
+====================================+==========+===========================
=+
| RPC | TCP | 135
|
+====================================+==========+===========================
=+
| Randomly allocated high TCP ports | TCP | <random port number>
|
+====================================+==========+===========================
=+

I would like to offer you these suggestions:

1. Check if the source of the public IP. Sometimes it can occur if one of
his internal clients dial to Internet and access the IIS server.

The following site is a good tool to check the source IP:
http://www.dns-tools.com/

2. Enable Firewall on the IIS server. Block the DS service port:

832017 Port Requirements for the Microsoft Windows Server System --
http://support.microsoft.com/?id=832017

In addition, SMB direct hosting' on port 445 can be disabled using the
following Registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters\SmbDev
iceEnabled=0

3. Close all not required TCP/IP by follow the steps.

Hope this address your concern.

Best regards,

Terry Liu
MCSE 2K MCSA MCDBA CCNA
Microsoft Online Support Engineer

Get Secure! - <www.microsoft.com/security>
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

0 new messages