Results 1 to 9 of 9
  1. #1

    microsoft-ds: mystery user with screen grab!

    I use TaskInfo on my Win2003 Server to monitor resource usage. There is an IP that has shown up with a connection a few times...when there shouldn't have been any real traffic on the server.

    Take a look at the screen grab and let me know what you think. I've googled microsoft-ds and can't come up with anything definitive yet.

    Can anyone tell me what microsoft-ds is and what this person would be doing accessing the service/port. Traffic seems normal while the person is accessing...no bandwidth spikes.

    Help me figure this out.
    Attached Thumbnails Attached Thumbnails mysteryuser.gif  

  2. #2
    Join Date
    Jan 2004
    Location
    North Yorkshire, UK
    Posts
    4,163
    It's Windows stuff between TCP 139-145 which is normal in Windows networks, however if this is a web server that's worrying, you'll probably want to firewall this completely as it's the only way to completely eliminate that kind of traffic.

    It's important to know that this doesn't mean your machine is being directly targetted, there are a lot of viruses out there that port scan machines and try to find boxes they can compromise, this is probably just an average port scan from one of them.

    You may remember the blaster virus, this is exactly how it spread ...

  3. #3
    Dan:

    Thanks for the response. It is a Win2003 Web Server that is running all web related services (DNS/Mail/FTP/Web). My data center had a major traffic flow on several of the machines about 2 weeks ago. They are still doing research as to exactly what happened. There was a concern that my machine or others on the subnet were infected. But right now they are leaning towards a NetBios subnet scan or DDOS.

    The IP disappeared for about 10 minutes and then reappeared. I ran netstat and here is what I found:
    C:\Documents and Settings\Administrator>netstat

    Active Connections

    Proto Local Address Foreign Address State
    TCP <computer_name>:3921 <my_ip>:1201 ESTABLISHED

    TCP <computer_name>:microsoft-ds user-<their_ip_at_mindspring_cable>:2722 ESTABLISHED

    What is ms-ds???
    ====================
    Update: googlism.com said this:
    microsoft-ds is microsofts active directory services
    microsoft-ds is a port used ever since windows 2000 was introduced
    microsoft-ds is open port
    microsoft-ds is a file sharing application that allows users to share files through port 445
    microsoft-ds is a tcp/udp service on port 445
    microsoft-ds is the name of this destination
    ====================
    Could this port/service be turned off?

  4. #4
    Join Date
    Mar 2002
    Location
    UK
    Posts
    458
    Install a firewall to block ports you don't want to be used. Not the standard Windows firewall, but another software firewall which is intended for server use (ie not one of the "personal" firewalls).
    Chris at TDMWeb.com
    Windows & Linux hosting and fully managed dedicated servers with great customer service!
    UK-based but serving the world...

  5. #5
    Join Date
    Jan 2004
    Location
    North Yorkshire, UK
    Posts
    4,163

  6. #6
    Dan:

    Yes. It needs to be enabled for Helm Control Panel. Any particular reason?

    Chris:

    Yes, I've been looking at software firewalls. It was a clean install with all of the patches applied before going live (including the latest SP). Plus, I had some security things tweaked with a security audit from the installers. Plus, a pretty proactive data center, although no dedicated hardware firewall is directly in front of the box.

    I've been reading as much as possible about software firewalls. I realize they are not the ideal solution, as they don't address DDOS issues, but it sounds like they can prevent brute force hacking and a few other nasties.

    I've seen some say "as long as you have all the patches applied" you're good. I've seen some say "a software firewall is good". I've seen others say "it ain't nothing unless it's a dedicated hardware firewall".

    I'm colocated, so a software firewall seems the best solution. I've read things like "Zone Alarm is good" to you "need Kerrio". I've even seen some say that the new built in Windows Firewall is the way to go.

    It is a bit OT, but any thoughts on a Windows Firewall?

  7. #7
    Join Date
    Jan 2004
    Location
    North Yorkshire, UK
    Posts
    4,163

  8. #8
    Dan:

    It is required for helm...although I will post a thread on the helm board about the FPS issue. Thanks for the responses!

  9. #9
    Join Date
    Feb 2005
    Posts
    334
    If file sharing is enabled then its possible thats one of many potential things, not all of which are problems. Im surpised to hear something like helm needs file/printer sharing enabled to work. Can you restrict it (helm) to specific hosts? The built in 2003 firewall actually inst terrible if used correctly, and you definitly dont want file and printer sharing open over the internet

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •