I have a server with Windows 2003, which is used as firewall and proxy server (it runs ISA 2000).
Now, everything used to work fine until yesterday, when in order to accomodate some IP phones and some other devices, I was forced to modify the IP mask (enlarge).
I don't know if it has any kind of connection with this, but yesterday the server started to serve pages very slow. It seems than now only data that goes explicitly thru the proxy is fast, the rest (like email, Remote Desktop Connection) are very slow.
The problem seem to the the wspsrv.exe. How do I found out? netstat shows tons and tons of "SYN_SENT" messages from the PID of wspsrv.exe and tons of ports listening (starting from 3728 all the way to 3839, and also lots and lots of connections in "SYN_SENT" status sent to 192.168.random.random on ports 135 and 445.
This looks just like a mass spreading worm. Anyone has any ideas?
Now, everything used to work fine until yesterday, when in order to accomodate some IP phones and some other devices, I was forced to modify the IP mask (enlarge).
I don't know if it has any kind of connection with this, but yesterday the server started to serve pages very slow. It seems than now only data that goes explicitly thru the proxy is fast, the rest (like email, Remote Desktop Connection) are very slow.
The problem seem to the the wspsrv.exe. How do I found out? netstat shows tons and tons of "SYN_SENT" messages from the PID of wspsrv.exe and tons of ports listening (starting from 3728 all the way to 3839, and also lots and lots of connections in "SYN_SENT" status sent to 192.168.random.random on ports 135 and 445.
This looks just like a mass spreading worm. Anyone has any ideas?
Facebook
Twitter