Urgent !! ISA and grc problem?

TheMSsForum.com: The Microsoft Software Forum

Hello

This may well have been a bad idea .. but having received info re
worm_sasser.p I used remote desktop to connect to the SBS 2000 server
and from there used IE to connect to www.grc.com to test ports 5554
and 9995 which were mentioned in the sasser notice.

1. testing these specific ports I was told that they are stealth but
that ping was possible and that this is a risk.

2. I then went for the 1000 or so port test and all were stealth -
which seems to conflict with 1 above?

Is it that ISA having received a port scan from the grc IP then
blocked further scans?

Then! Loads of port scan email warnings and at the moment I cannot
connect to the server using remote desktop. Has my PC somehow been
blocked now from remote desktop connection?

Next step?

Appreciate any thoughts!

Cheers

Geoff
Top

Re: Urgent !! ISA and grc problem? by Dave

Dave
Tue May 04 13:08:04 CDT 2004

Solved in another later thread - RTF

"Geoff Cox" <geoff.cox@minusspam.freeuk.com> wrote in message
news:dr8d905gp1frsmpgmp6guc1126chj6m3m0@4ax.com...
> Hello
>
> This may well have been a bad idea .. but having received info re
> worm_sasser.p I used remote desktop to connect to the SBS 2000 server
> and from there used IE to connect to www.grc.com to test ports 5554
> and 9995 which were mentioned in the sasser notice.
>
> 1. testing these specific ports I was told that they are stealth but
> that ping was possible and that this is a risk.
>
> 2. I then went for the 1000 or so port test and all were stealth -
> which seems to conflict with 1 above?
>
> Is it that ISA having received a port scan from the grc IP then
> blocked further scans?
>
> Then! Loads of port scan email warnings and at the moment I cannot
> connect to the server using remote desktop. Has my PC somehow been
> blocked now from remote desktop connection?
>
> Next step?
>
> Appreciate any thoughts!
>
> Cheers
>
> Geoff
>
>


Top

Re: Urgent !! ISA and grc problem? by Dave

Dave
Tue May 04 13:13:34 CDT 2004

I don't understand what you're saying in #2 - if a port was "stealth" when
tested individually, it would be "stealth" when tested as part of the group.
I would expect the results you are reporting.

It would seem that the port scan warnings are in response to the scan you
initiated at grc; if so you can ignore them.

Can you remote into the server now? If so, I'd guess that maybe the server
was too busy to respond. If not, what happens when you try? Any errors
logged?

I don't think any of this was a "bad idea," considering that you were doing
something to test your security. I like grc as a quick test of your
firewall, but you might want to shut down e-mail notification for a while
next time you do it. As for sasser, if you haven't already, you might want
to download the Microsoft Baseline Security Analyzer. Install it on your
workstation and run it against the server. Install any missing patches
immediately. This should be a part of your normal maintenance routine - if
you subscribe to the security notification service from MS, you can run it
after installing patches, to make sure you haven't missed any.


"Geoff Cox" <geoff.cox@minusspam.freeuk.com> wrote in message
news:dr8d905gp1frsmpgmp6guc1126chj6m3m0@4ax.com...
> Hello
>
> This may well have been a bad idea .. but having received info re
> worm_sasser.p I used remote desktop to connect to the SBS 2000 server
> and from there used IE to connect to www.grc.com to test ports 5554
> and 9995 which were mentioned in the sasser notice.
>
> 1. testing these specific ports I was told that they are stealth but
> that ping was possible and that this is a risk.
>
> 2. I then went for the 1000 or so port test and all were stealth -
> which seems to conflict with 1 above?
>
> Is it that ISA having received a port scan from the grc IP then
> blocked further scans?
>
> Then! Loads of port scan email warnings and at the moment I cannot
> connect to the server using remote desktop. Has my PC somehow been
> blocked now from remote desktop connection?
>
> Next step?
>
> Appreciate any thoughts!
>
> Cheers
>
> Geoff
>
>


Top

Re: Urgent !! ISA and grc problem? by Geoff

Geoff
Tue May 04 17:26:59 CDT 2004

On Tue, 4 May 2004 14:13:34 -0400, "Dave Nickason [SBS MVP]"
<gwdibble@NOSPAM.frontiernet.net> wrote:

>Can you remote into the server now? If so, I'd guess that maybe the server
>was too busy to respond. If not, what happens when you try? Any errors
>logged?

Dave,

When at the server today there were loads of error messages re the
block_attacker trying to write to an exisiting file (from memory) -
having cleared those and reset the RDP-Tcp(listener) in Terminal
Services Manager, I was able to Remote Desktop into the server again.

>I don't think any of this was a "bad idea," considering that you were doing
>something to test your security. I like grc as a quick test of your
>firewall, but you might want to shut down e-mail notification for a while

and shut down bloack_attacker by the look of it!

>next time you do it. As for sasser, if you haven't already, you might want
>to download the Microsoft Baseline Security Analyzer. Install it on your
>workstation and run it against the server. Install any missing patches

will do.

Thanks

Geoff


Top