1. Not sure, but run a copy of a good AV scanner on the box and it should
point out any zombie files. Go to www.antivirus.com and use their on-line
scanner for quick answer and then install a longer term solution.

2. Are you running APC UPS software? I think it uses these ports.

3. Many of the patches will install without rebooting if you use -z.

4. Sorry, no input on this one.

5. A quick search at technet should turn up what you're looking for.
http://search.support.microsoft.com/kb/c.asp

-----Original Message-----
From: Kyle Buehler
To: FOCUS-MSSECURITYFOCUS.COM
Sent: 4/2/01 11:09 AM
Subject: Windows 2000 Server Questions

 So here's the situation. I'm the "New IT Guys". There have been 3
before me, and I'm working on a Windows 2000 Server that has been setup
via a tagteam of consultants. I'm not a Miscrosoftie by nature, but I
deal with it here and there and in Advanced Windows 2000 at school.
*joke* None the less, I'm getting into it. Anyway, here's some problems
that are confusing me at the current moment ...

 1. I did a security audit against the server using Nessus and it came
back with ports 34555/udp, 27444/udp, 18753/udp, and 10498/tcp possibly
running Trin00, Trin00, Shaft, and mstream respectively. I ran a few
nmap scans against it and did not find the port open. netstat -an didn't
yield any info either. I thought at first it was just catching normal
traffic , but multiple scans have come out the same. Any idea what this
could be? McAfee is up to date and running full scans once a night, and
research shows that it should catch all the possible trojans.

 2. Ports 6666 and 6667 are open also, but yield no warnings from
Nessus. I know we are not running an irc server, so is there any 2k
serive that claims those ports? Again, netstat didn't show anything
useful.

  In my scan I found that only SP1 had been applied and the server was
in desperate need of netbios-ssn hotfixes since I'm not quite sure
wheather I have a cracker on my tail or not. I downloaded the required
patches and applied them individually.

 3. Is there a way to apply the patches without having to reboot
everytime? This is a server that takes 5-10 minutes for a full cycle.
Once I applied the patches I ran my scans again and the "problem" hadn't
been fixed. Am I doing something wrong just running them?

 4. Nessus found /_vti_bin/_vti_aut/dvwssr.dll ... I read up on this,
except I can't find it in the directory shown, and that file doesn't
come up by name in a find. Does it have another alias or counterpart?

 5. The server is running Exchange, and it allows open relaying which I
am kind of concerned about. Currently the consultant is the one working
the Exchange Setup ( I plan to remedy that eventually), but where can I
get some info on configuring something like that. Just looking at the
Server Manager really looks like he got it working, and didn't go any
farther than that.

 An help would be appreciated.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]