W2K netstat detects port 1433 is listenning but fport does NOT..., can't start mission critical sql server !!!

W2K netstat detects port 1433 is listenning but fport does NOT..., can't start mission critical sql server !!!
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
W2K netstat detects port 1433 is listenning but fport does NOT..., can't start mission critical sql server !!! SammyBar 10-14-2005
Posted by SammyBar on October 14, 2005, 2:20 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi all,

I have a problem with my Sql Server 2000 server. A malware captured the 1433
port when we restarted the SQL Server service. Now we have some users (that
uses TCP/IP to connect to the server instead named pipes) that can not
access to the server. The server is mission critical, can not be reset until
midnight to eliminate the virus. We want to kill the malware process but we
can not get the process id of the malware. We tryed with fport last version
downloaded from Foundstone but it does't lists the 1433 port as being in
use. But netstat -an clearly shows the 1433 port is listening. The Sql
Server Log says it could not be binded to 1433. So is it possible fport
fails to detect a process? Which other way can I use to detect the process
id of the malware apart of fport?

Thanks in advance
Sammy



Posted by David H. Lipman on October 14, 2005, 5:18 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| Hi all,
|
| I have a problem with my Sql Server 2000 server. A malware captured the 1433
| port when we restarted the SQL Server service. Now we have some users (that
| uses TCP/IP to connect to the server instead named pipes) that can not
| access to the server. The server is mission critical, can not be reset until
| midnight to eliminate the virus. We want to kill the malware process but we
| can not get the process id of the malware. We tryed with fport last version
| downloaded from Foundstone but it does't lists the 1433 port as being in
| use. But netstat -an clearly shows the 1433 port is listening. The Sql
| Server Log says it could not be binded to 1433. So is it possible fport
| fails to detect a process? Which other way can I use to detect the process
| id of the malware apart of fport?
|
| Thanks in advance
| Sammy
|

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one
Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE.
It will
simplify the process of using; Sophos, Trend, Kasperski and McAfee Anti Virus
Command Line
Scanners to
remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode. This
way all the components can be downloaded from each AV vendor’s web site. The
choices are;
Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by Steven L Umbach on October 14, 2005, 6:59 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Try Process Explorer from SysInternals. In the properties of each process is
a page for tcp/ip info that will show if any port is used. TCPView may also
be helpful but Process Explorer is the king of process identification. You
also have the option to kill the process or process tree though that does
not work all the time. Also check your services as sometimes malware will
install as a service that you could try to stop/disable. --- Steve

http://www.sysinternals.com/Utilities/ProcessExplorer.html
http://www.sysinternals.com/Utilities/TcpView.html

> Hi all,
>
> I have a problem with my Sql Server 2000 server. A malware captured the
> 1433 port when we restarted the SQL Server service. Now we have some users
> (that uses TCP/IP to connect to the server instead named pipes) that can
> not access to the server. The server is mission critical, can not be reset
> until midnight to eliminate the virus. We want to kill the malware process
> but we can not get the process id of the malware. We tryed with fport last
> version downloaded from Foundstone but it does't lists the 1433 port as
> being in use. But netstat -an clearly shows the 1433 port is listening.
> The Sql Server Log says it could not be binded to 1433. So is it possible
> fport fails to detect a process? Which other way can I use to detect the
> process id of the malware apart of fport?
>
> Thanks in advance
> Sammy
>



Posted by SammyBar on October 14, 2005, 8:15 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I was able to find the process that is listening on 1433 port: It is the
System process! I can not shutdown it.
Anyway thanks for the help

Sammy



Posted by Peter Foldes on October 15, 2005, 12:29 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Did you install the MS05-051 Security Update over your network. There is =
many more issues cropping up aside from what is listed.

http://support.microsoft.com/?kbid=3D909444

--=20
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

>I was able to find the process that is listening on 1433 port: It is =
the=20
> System process! I can not shutdown it.
> Anyway thanks for the help
>=20
> Sammy=20
>=20
>

Similar ThreadsPosted
Re: Please help me interpret a suspicious netstat SYN_SENT TCP port 1058 ? February 25, 2006, 1:04 am
Avast AV critical vulnerability (FrSIRT) July 21, 2005, 2:26 pm
Adaware critical object found May 17, 2006, 8:07 am
RE: Adaware critical object found May 17, 2006, 11:19 pm
Please Help! Problem with Start Up!! August 27, 2005, 11:35 am
Fails to start August 2, 2006, 2:18 pm
start Page virus December 30, 2005, 9:11 pm
rundll error message at start up September 5, 2008, 9:11 am
Where does Trojan-downloader.win32.Agent.bkd start up? June 17, 2007, 9:33 pm
Blue screens XP2 MS at start-up unknown after shutdown (flashes) October 13, 2006, 2:43 pm

The site map in XML format XML site map

Contact Us | Privacy Policy