Resolved I'm Being Eaten ALIVE

I'm getting unauthorised established connections to port 445 on one of my servers which is in a Data Center.

The techs at the DC have been helping but I think they're getting as frustrated as I am. They setup a IPspec rule and Windows Firewall and in theory, this machine should be locked down pretty darn tight.

We do have a small number of ports open to access the two different types of databases on the machine...(all the machine does is host databases)

Before the IPspec rule - there would be as many as 50 established connections to port 445....I could sit there and kill the connections one at a time...and slowly but surely they come back.

File and print sharing has been disabled.

If I do telnet xx.xx.xxx.xx 445 -> It won't connect.

There was a couple of trojans on the machine a couple of months ago. We had FSecure installed for a few months but have since switched to Norton 2009 and it scans are clean.

Any thoughts?

 

Disable file & print sharing on the server, 445 is used for smb over tcp, or unbind file & print sharing from tcp and use a diferent protocol for it.

DHCP also uses 445.

Those 70.x.x.x ips are SHAW ips.

 

Thanks Tony - it's almost funny that my machine's IP also starts with 70 but isn't in Canada...

Anyway, the DC techs wrote back just now:

Will monitor and see what happens.