On item 4 those _vti directories I believe were created when the FrontPage
server extension are installed. Since your running Exchange on the same
system, are you running the Outlook Web Access? If you are then the odds are
that you have IIS installed and someone installed the server extension on it
too.

v/r
John van Meter

-----Original Message-----
From: Kyle Buehler [mailto:kyleGRNDZERO.ORG]
Sent: Monday, April 02, 2001 2:09 PM
To: FOCUS-MSSECURITYFOCUS.COM
Subject: Windows 2000 Server Questions

 So here's the situation. I'm the "New IT Guys". There have been 3 before
me, and I'm working on a Windows 2000 Server that has been setup via a
tagteam of consultants. I'm not a Miscrosoftie by nature, but I deal with it
here and there and in Advanced Windows 2000 at school. *joke* None the less,
I'm getting into it. Anyway, here's some problems that are confusing me at
the current moment ...

 1. I did a security audit against the server using Nessus and it came back
with ports 34555/udp, 27444/udp, 18753/udp, and 10498/tcp possibly running
Trin00, Trin00, Shaft, and mstream respectively. I ran a few nmap scans
against it and did not find the port open. netstat -an didn't yield any info
either. I thought at first it was just catching normal traffic , but
multiple scans have come out the same. Any idea what this could be? McAfee
is up to date and running full scans once a night, and research shows that
it should catch all the possible trojans.

 2. Ports 6666 and 6667 are open also, but yield no warnings from Nessus. I
know we are not running an irc server, so is there any 2k serive that claims
those ports? Again, netstat didn't show anything useful.

  In my scan I found that only SP1 had been applied and the server was in
desperate need of netbios-ssn hotfixes since I'm not quite sure wheather I
have a cracker on my tail or not. I downloaded the required patches and
applied them individually.

 3. Is there a way to apply the patches without having to reboot everytime?
This is a server that takes 5-10 minutes for a full cycle. Once I applied
the patches I ran my scans again and the "problem" hadn't been fixed. Am I
doing something wrong just running them?

 4. Nessus found /_vti_bin/_vti_aut/dvwssr.dll ... I read up on this, except
I can't find it in the directory shown, and that file doesn't come up by
name in a find. Does it have another alias or counterpart?

 5. The server is running Exchange, and it allows open relaying which I am
kind of concerned about. Currently the consultant is the one working the
Exchange Setup ( I plan to remedy that eventually), but where can I get some
info on configuring something like that. Just looking at the Server Manager
really looks like he got it working, and didn't go any farther than that.

 An help would be appreciated.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]