Is my server or network compromised?

[Guest bestbapu]

Some background on the Windows 2000 server in question:

 

I have a DNS server behind a firewall. Ports access thru the firewall are

80, 53 & 21.

 

On this DNS server I am running MySQL 5.x Apache 2.x and PHP 5.0.x.

 

I have 6 virtual web servers setup in Apache all on port 80.

 

The problem with the server is that the network icon in the systray is

almost constantly on (both in and out). And if I try and access any of the 6

websites on this system, most of the they timeout.

 

This problem is only just now occuring (well, in the last month or so) even

though the sever has been up and running for well over three years without a

problem.

 

Event viewer has some occasional entries that are concerning.

 

NtFrs Event ID: 13562 (errors polling the Domain Controller). These happen

about every 6-8 hours.

 

DNS Event ID: 5504 (invalid domain name in packet from 198.41.0.4. NOTE:

this is not IP addressing scheme for my LAN). From 10:05 to 2:45 PM today 46

such entries happened.

 

Userenv Event ID: 1000 (Windoes cannot determine the user or computer name.

Return value 1722). From 9:35AM to 2:42 PM today 4 entries ocured (approx 1.5

to 2 hours apart).

 

I do not see any suspisous services nor does the

Task Manager have any oddities (cpu = ~4%) no excessive CPU time on processes.

 

Also, the server is viewed as part of the domain from other computers in the

domain and it can get out to the internet (albeit slowly).

 

I can ping the websites and they do respond. But when trying to access

them from a browser, they time out with a "Service not available".

 

Apache is up and running.

 

Every so often, maybe 1 out of 25 tries, I can get to the main page of any

one of these website, but if I navigate to another page, the site times out.

Once I hit one website, I'll tryanother and that next website almost always

times out (99.999% of the time).

 

I am not a "super or power" adminsitrator. I run a simple network (DC,

DC/Exchange, DNS/webserver and about 6 workstations). Any help you can

provide is truly appreciated

[Guest David H. Lipman]

From: "bestbapu" <bestbapu@hotmail.com>

 

| Some background on the Windows 2000 server in question:

 

| I have a DNS server behind a firewall. Ports access thru the firewall are

| 80, 53 & 21.

 

| On this DNS server I am running MySQL 5.x Apache 2.x and PHP 5.0.x.

 

| I have 6 virtual web servers setup in Apache all on port 80.

 

| The problem with the server is that the network icon in the systray is

| almost constantly on (both in and out). And if I try and access any of the 6

| websites on this system, most of the they timeout.

 

| This problem is only just now occuring (well, in the last month or so) even

| though the sever has been up and running for well over three years without a

| problem.

 

| Event viewer has some occasional entries that are concerning.

 

| NtFrs Event ID: 13562 (errors polling the Domain Controller). These happen

| about every 6-8 hours.

 

| DNS Event ID: 5504 (invalid domain name in packet from 198.41.0.4. NOTE:

| this is not IP addressing scheme for my LAN). From 10:05 to 2:45 PM today 46

| such entries happened.

 

| Userenv Event ID: 1000 (Windoes cannot determine the user or computer name.

| Return value 1722). From 9:35AM to 2:42 PM today 4 entries ocured (approx 1.5

| to 2 hours apart).

 

| I do not see any suspisous services nor does the

| Task Manager have any oddities (cpu = ~4%) no excessive CPU time on processes.

 

| Also, the server is viewed as part of the domain from other computers in the

| domain and it can get out to the internet (albeit slowly).

 

| I can ping the websites and they do respond. But when trying to access

| them from a browser, they time out with a "Service not available".

 

| Apache is up and running.

 

| Every so often, maybe 1 out of 25 tries, I can get to the main page of any

| one of these website, but if I navigate to another page, the site times out.

| Once I hit one website, I'll tryanother and that next website almost always

| times out (99.999% of the time).

 

| I am not a "super or power" adminsitrator. I run a simple network (DC,

| DC/Exchange, DNS/webserver and about 6 workstations). Any help you can

| provide is truly appreciated

 

 

I don't know what's going on but the IP address for DNS belongs to Verisign.

 

OrgName: VeriSign Infrastructure & Operations

OrgID: VIO-2

Address: 21345 Ridgetop Circle

City: Dulles

StateProv: VA

PostalCode: 20166

Country: US

 

NetRange: 198.41.0.0 - 198.41.3.255

CIDR: 198.41.0.0/22

NetName: INTERNIC1

NetHandle: NET-198-41-0-0-1

Parent: NET-198-0-0-0-0

NetType: Direct Assignment

NameServer: NS1.CRSNIC.NET

NameServer: NS2.NSIREGISTRY.NET

NameServer: NS3.VERISIGN-GRS.NET

NameServer: NS4.VERISIGN-GRS.NET

 

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp