> I am still having strange trouble with the server now > again, and I have the alerter service off. I did a virus > scan, and there is no viruses. > My server had CF 5 running on IIS, but also CFMX running > on it's built in web server. I use that only for displaying > graphs right now- and it is not getting more than 100 page > views per day on cfmx. It has been there for over a month. > Once in a while it would stop serving up pages for no > apparent reason (there is an odbc error in the logs) and I > would have to restart the 3 CFMX services, but the CF5 on > IIS never was affected. > After my last reboot, I noticed those graphs weren't > being served up. I went to the services applet and saw that > cfmx application server didn't start with the reboot. When > I went to start cfmx application server manually, the > computer locked up. Also the event log had hundreds of > these messages, all the same ip address- which I never > saw before. > > FTP Server could not create a client worker thread for user > at host 210.222.219.126. The connection to this user is > terminated. The data is the error. For additional information > specific to this message please visit the Microsoft Online > Support site located at: > http://www.microsoft.com/contentredirect.asp. > > Maybe it is a denial of service attack? That IP address is > not mine. I do not have public ftp on my server, just a > private ftp site.
OK. I don't think this problem has anything to do with the fact that you were getting Windows Messenger spam, specifically. However, the fact that you could receive this spam indicates that you have NetBIOS/TCPIP or DirectHost open to the public internet, which is generally a very bad thing. So, it's not inconceivable that your machine has been compromised through some Windows Networking vulnerability. The fact that the FTP server is attempting to handle requests from the host address you mentioned indicates that maybe it's not as private as you think! In general, without a further examination, here's what I'd recommend. 1. Copy your important files from the server (.cfm files, I suppose), and make sure they've not been tampered with. 2. Remove the server from the network. 3. Reformat the disks, and reinstall the operating system, and apply whatever patches you want to apply (note that you'll have to have these patches on removable media, since you're not on the network. 4. Before returning the server to the network, either set up a firewall, or apply port filtering restrictions to your gateway router, or install a host-based firewall on your server, or use Windows' TCP/IP filtering and security functionality to limit ingress (and egress on Win2K) to specific, desirable ports. You can, of course, do more than one of these things, but do at least one of them. I've listed them in the order of desirability. 5. Return the server to the network. I realize that's a lot of work, but if the server has been compromised, there's no other way to guarantee its security. Before doing this, you may want to examine the server to see if anything has been compromised, if you can. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm ------------------------------------------------------------------------------ To unsubscribe, send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body or visit the list page at www.houseoffusion.com
