Bogged Down SBS2k Server, no Resources Constrained: Virus?

TheMSsForum.com: The Microsoft Software Forum

I have SBS 2k setup with a 2-NIC setup (perm connection via a T1.) I am running Trend's OfficeScan.

Starting this Monday, with all clients powered off, everything is fine. With some XP clients started, the server is way bogged down: web surfing via the proxy is slow, connection to NT Shares slow, Outlook on clients slow, even circling the mouse on the actual server hangs up like it's at 100% utilization. I only have about 10 clients.

But, no resources are being constrained. Plenty of mem free, CPU% at about 10-20%. No disk queueing.

Only clue I have is that a couple of the XP clients (as seen with Netmon on the server) are doing continous ICMP's to addresses in incrementing order (ie 207.100.25.101, 207.101.25.102, 207.100.245.103, etc.). Seems very strange. One PC will do this, even with all (apparant) apps off and mappings off.

NOTE: Addresses given in example are fake. The addresses the pc's are going after do not reolve with NSlookup.

Do I have a virus problem that OfficeScan is not picking up? Do I have a worm or SpyWare?

The network is basically useless when all the people are on. . . . . Help!
Top

Re: Bogged Down SBS2k Server, no Resources Constrained: Virus? by Merv

Merv
Wed Oct 22 20:51:59 CDT 2003

Almost sounds like a variant of Blaster Worm (Symantec: W32.Blaster.Worm).
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Are your SBS and all workstations uptodate with latest security patches
(especially 03-039)? Ports closed (use www.grc.com to check)?

--
Merv Porter [SBS MVP]
===================================
"BobPeck" <peckrs@en.com> wrote in message
news:FC4E9DAA-D3A6-486C-8080-8F8811290026@microsoft.com...
>
> I have SBS 2k setup with a 2-NIC setup (perm connection via a T1.) I am
running Trend's OfficeScan.
>
> Starting this Monday, with all clients powered off, everything is fine.
With some XP clients started, the server is way bogged down: web surfing
via the proxy is slow, connection to NT Shares slow, Outlook on clients
slow, even circling the mouse on the actual server hangs up like it's at
100% utilization. I only have about 10 clients.
>
> But, no resources are being constrained. Plenty of mem free, CPU% at
about 10-20%. No disk queueing.
>
> Only clue I have is that a couple of the XP clients (as seen with Netmon
on the server) are doing continous ICMP's to addresses in incrementing order
(ie 207.100.25.101, 207.101.25.102, 207.100.245.103, etc.). Seems very
strange. One PC will do this, even with all (apparant) apps off and
mappings off.
>
> NOTE: Addresses given in example are fake. The addresses the pc's are
going after do not reolve with NSlookup.
>
> Do I have a virus problem that OfficeScan is not picking up? Do I have a
worm or SpyWare?
>
> The network is basically useless when all the people are on. . . . . Help!
>


Top

RE: Bogged Down SBS2k Server, no Resources Constrained: Virus? by anonymous

anonymous
Wed Oct 22 22:06:10 CDT 2003

Server is patched. Clients are not.

Wouldn't the AV (Trend) have protected us? Or No?

Checking the clients now . . .
Top

Re: Bogged Down SBS2k Server, no Resources Constrained: Virus? by Merv

Merv
Wed Oct 22 22:48:55 CDT 2003

Not necessarily. There have been quite a few variants of this worm. The
patch is required on workstations and servers.

"BobPeck" <anonymous@discussions.microsoft.com> wrote in message
news:064186A2-01EB-4A4E-A5EC-0EF6A4FEE176@microsoft.com...
> Server is patched. Clients are not.
>
> Wouldn't the AV (Trend) have protected us? Or No?
>
> Checking the clients now . . .


Top