Guest bestbapu Posted January 23, 2009 Posted January 23, 2009 I have a web server behind a firewall (port 80 is mapped in my router from public IP to private IP). The network status icon is solid blue. After 4 hours of being online the computer reports 128,786,731 bytes received. That seems excessive. How I discovered this is that web sites on that server are "timing out" when being accessed. IOW, they do not display. I can ping the website names. The websites all run under Apache. No IIS on this server. The server is W2K server with all updates being current. No active directory. I've run Malwarebytes Anti-Malware and it reports no problems. What might the problem be? Quote
Guest David H. Lipman Posted January 23, 2009 Posted January 23, 2009 From: "bestbapu" <bestbapu@hotmail.com> | I have a web server behind a firewall (port 80 is mapped in my router from | public IP to private IP). The network status icon is solid blue. | After 4 hours of being online the computer reports 128,786,731 bytes | received. That seems excessive. | How I discovered this is that web sites on that server are "timing out" when | being accessed. IOW, they do not display. I can ping the website names. | The websites all run under Apache. No IIS on this server. The server is W2K | server with all updates being current. No active directory. | I've run Malwarebytes Anti-Malware and it reports no problems. | What might the problem be? I suggest using WireShark and doing a protocol decode to see the traffic. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest bestbapu Posted January 23, 2009 Posted January 23, 2009 David, I downloaded WireShark and ran it for about 2 minutes and it generated a huge listing. Not being eitirely sure how to interpret I used the Analyze->Follow TCP Stream on a highlighted TCP entry. It provided me with a clue that hints at my server is acting as a proxy sever for some "sex" websites in tha imbedded in the URL's (usually ending in ..ru) included vairous domain or sub domain names with the word "sex" in it. So, supposing my server is being used to proxy other websiste how do I stop this from happening? Thanks, Ed. "David H. Lipman" wrote: <span style="color:blue"> > From: "bestbapu" <bestbapu@hotmail.com> > > | I have a web server behind a firewall (port 80 is mapped in my router from > | public IP to private IP). The network status icon is solid blue. > > | After 4 hours of being online the computer reports 128,786,731 bytes > | received. That seems excessive. > > | How I discovered this is that web sites on that server are "timing out" when > | being accessed. IOW, they do not display. I can ping the website names. > > | The websites all run under Apache. No IIS on this server. The server is W2K > | server with all updates being current. No active directory. > > | I've run Malwarebytes Anti-Malware and it reports no problems. > > | What might the problem be? > > > I suggest using WireShark and doing a protocol decode to see the traffic. > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > > </span> Quote
Guest David H. Lipman Posted January 23, 2009 Posted January 23, 2009 From: "bestbapu" <bestbapu@hotmail.com> | David, | I downloaded WireShark and ran it for about 2 minutes and it generated a | huge listing. | Not being eitirely sure how to interpret I used the Analyze->Follow TCP | Stream on a highlighted TCP entry. | It provided me with a clue that hints at my server is acting as a proxy | sever for some "sex" websites in tha imbedded in the URL's (usually ending in | .ru) included vairous domain or sub domain names with the word "sex" in it. | So, supposing my server is being used to proxy other websiste how do I stop | this from happening? | Thanks, | Ed. You may have something MBAM doesn't/won't detect. Start with the McAfee and Sophos modules of the below Multi AV Scanning Tool. Download MULTI_AV.EXE from the URL -- http://www.pctip.ch/ds/28400/28470/Multi_AV.exe or http://212.98.39.7/ds/28400/28470/Multi_AV.exe http://www.pctip.ch/downloads/dl/35905.asp or http://212.98.39.7/downloads/dl/35905.asp English: http://www.raymond.cc/blog/archives/2008/0...virus-for-free/ To use this utility, perform the following... Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS } Choose; Unzip Choose; Close Execute; C:\AV-CLS\StartMenu.BAT { or Double-click on 'Start Menu' in C:\AV-CLS } NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your FireWall to allow it to download the needed AV vendor related files. C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS} This will bring up the initial menu of choices and should be executed in Normal Mode. This way all the components can be downloaded from each AV vendor's web site. The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. You can choose to go to each menu item and just download the needed files or you can download the files and perform a scan in Normal Mode. Once you have downloaded the files needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key during boot] and re-run the menu again and choose which scanner you want to run in Safe Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode. When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help file. Additional Instructions: http://pcdid.com/Multi_AV.htm Please report back your results -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Kayman Posted January 23, 2009 Posted January 23, 2009 On Thu, 22 Jan 2009 22:30:13 -0500, David H. Lipman wrote: <snip> <span style="color:blue"> > Additional Instructions: > http://pcdid.com/Multi_AV.htm</span> Is this the correct link? Couldn't find any relevance pertinent to your Multi-AV tool. Quote
Guest David H. Lipman Posted January 23, 2009 Posted January 23, 2009 From: "Kayman" <kayhkay-nospam-@operamail.com> | On Thu, 22 Jan 2009 22:30:13 -0500, David H. Lipman wrote: | <snip> <span style="color:blue"><span style="color:green"> >> Additional Instructions: >> http://pcdid.com/Multi_AV.htm</span></span> | Is this the correct link? Couldn't find any relevance pertinent to your | Multi-AV tool. Thanks! It looks like BigBruva's site is no longer. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest ~BD~ Posted January 23, 2009 Posted January 23, 2009 I've asked before - WHY do you not have your own web site to carry your multi-Av programme, David? You've said you are still working (for .... someone!) - surely you can afford it! -- BD "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23$YBvpUfJHA.4932@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > From: "Kayman" <kayhkay-nospam-@operamail.com> > > | On Thu, 22 Jan 2009 22:30:13 -0500, David H. Lipman wrote: > > | <snip> ><span style="color:green"><span style="color:darkred"> >>> Additional Instructions: >>> http://pcdid.com/Multi_AV.htm</span></span> > > | Is this the correct link? Couldn't find any relevance pertinent to > your > | Multi-AV tool. > > Thanks! > > It looks like BigBruva's site is no longer. > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > </span> Quote
Guest Tom [Pepper] Willett Posted January 23, 2009 Posted January 23, 2009 What business is it of yours, hoople head? "~BD~" <BoaterDave@hotmail.co.uk> wrote in message news:%23h%23PMWWfJHA.1172@TK2MSFTNGP04.phx.gbl... : I've asked before - WHY do you not have your own web site to carry : your multi-Av programme, David? : : You've said you are still working (for .... someone!) - surely you can : afford it! : : -- : BD : : : "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message : news:%23$YBvpUfJHA.4932@TK2MSFTNGP02.phx.gbl... : > From: "Kayman" <kayhkay-nospam-@operamail.com> : > : > | On Thu, 22 Jan 2009 22:30:13 -0500, David H. Lipman wrote: : > : > | <snip> : > : >>> Additional Instructions: : >>> http://pcdid.com/Multi_AV.htm : > : > | Is this the correct link? Couldn't find any relevance pertinent to : > your : > | Multi-AV tool. : > : > Thanks! : > : > It looks like BigBruva's site is no longer. : > : > -- : > Dave : > http://www.claymania.com/removal-trojan-adware.html : > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp : > : > : : Quote
Guest David H. Lipman Posted January 23, 2009 Posted January 23, 2009 From: "Tom [Pepper] Willett" <tom@youreadaisyifyoudo.com> | What business is it of yours, hoople head? Danke ! -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest ~BD~ Posted January 25, 2009 Posted January 25, 2009 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23npETMafJHA.5496@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > From: "Tom [Pepper] Willett" <tom@youreadaisyifyoudo.com> > > | What business is it of yours, hoople head? > > Danke ! > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > ></span> This page clearly indicates that the Multi-AV is your tool http://www.pctipp.ch/downloads/sicherheit/...nning_tool.html Indeed, it mentions your name ......... (see ) "Nicht zuletzt dürfen sich die verschiedenen Virenscanner nicht in die Quere kommen, weshalb man für die Säuberung am besten zu den schlanken Kommandozeilen-Versionen diverser Antivirenlösungen wie z.B. von Sophos, Trend Micro, Kaspersky und McAfee greift. Der Umgang mit Programmen, die nur in einem DOS-ähnlichen Fenster laufen, ist nicht jedermanns Sache. Und genau hier setzt das «Multi-AV Scanning Tool» des US-Amerikaners David Lipman an. Es dient als Oberfläche für den Zugriff auf die Kommandozeilen-Virenscanner der vier erwähnten Hersteller. Und so gehts: Maybe you are German by birth, Maybe your wife is German. Maybe you have lived/studied in Germany. Maybe you have good friends in Germany. None of that matters (not even the fact that you responded to 'Pepper' in German) I'm sure there must be others who read these threads who must wonder WHY you choose to hide the tool which you profess to have made in an obscure German web site - when you must recognise that most folk reading here will have at least some knowledge of English. It simply makes no sense to me. BD Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.