Question : Came in on Monday Morning to find 3 Domain Controllers malfunctioning.

Good day all you experts, I hope your Monday has been better than mine.

This morning when sitting down for my morning coffee and reading my email I noticed that our firewall was reporting an awful lot of errors. When inpecting the logs, I saw that there were 3 of our servers trying to start communications on various different ports to the outside world. Our firewall (Netscreen 25) currently screens multiple source based sessions and blocks them if they exceed 128 session on the same port from the same location. This is a good thing because there is no need for that type of communications.

So, I rolled up my sleeves and said to myself, this is a good opportunity to install Microsoft Anti-spyware on these machines to see if I may have picked up something. I did this and no threats were found.

Meanwhile branch offices are starting to call now because the servers that are affected will not print or perform some other functions properly.

I then rebooted two servers that I could and thought that may help. (I couldn't reboot the third because users were working on it, although not all of them printing). The reboot did not help at all. I ran Hijack this and it is terminating itself after about a minute. Tried to run Norton Antivirus Corp. and it terminates before starting up.

I also found that our SQL server service stopped itself, when I checked the security event log I found half a dozen audit failures where one of our users appeared to try to change security permissions. I know this user would not even be aware or what the sql server was let alone planning to crack permissions on it.

What is going on!

Here is a sample of the logfile from the firewall.

[00001] 2005-02-14 12:01:15 [Root]system-critical-00033: Src IP session limit! From 192.168.197.81:3704 to 24.209.147.179:139, proto TCP (zone Trust, int ethernet1). Occurred 96 times. [00002] 2005-02-14 12:01:15 [Root]system-critical-00033: Src IP session limit! From 192.168.197.75:1259 to 192.42.93.30:53, proto UDP (zone Trust, int ethernet1). Occurred 3 times. [00003] 2005-02-14 12:01:15 [Root]system-critical-00033: Src IP session limit! From 192.168.197.75:2580 to 65.31.26.125:139, proto TCP (zone Trust, int ethernet1). Occurred 56 times. [00004] 2005-02-14 12:01:15 [Root]system-critical-00033: Src IP session limit! From 192.168.197.85:2198 to 192.168.77.252:445, proto TCP (zone Trust, int ethernet1). Occurred 67 times. [00005] 2005-02-14 12:01:14 [Root]system-critical-00033: Src IP session limit! From 192.168.197.85:3396 to 202.98.4.98:445, proto TCP (zone Trust, int ethernet1). Occurred 5 times. [00006] 2005-02-14 12:01:14 [Root]system-critical-00033: Src IP session limit! From 192.168.197.75:2987 to 192.235.87.203:139, proto TCP (zone Trust, int ethernet1). Occurred 54 times. [00007] 2005-02-14 12:01:14 [Root]system-critical-00033: Src IP session limit! From 192.168.197.81:3344 to 66.209.206.137:445, proto TCP (zone Trust, int ethernet1). Occurred 6 times. [00008] 2005-02-14 12:01:13 [Root]system-critical-00033: Src IP session limit! From 192.168.197.75:53 to 192.168.11.113:1988, proto UDP (zone Trust, int ethernet1). Occurred 5 times. [00009] 2005-02-14 12:01:13 [Root]system-critical-00033: Src IP session limit! From 192.168.197.85:2396 to 68.147.43.135:445, proto TCP (zone Trust, int ethernet1). Occurred 30 times. [00010] 2005-02-14 12:01:13 [Root]system-critical-00033: Src IP session limit! From 192.168.197.81:2204 to 24.196.81.32:139, proto TCP (zone Trust, int ethernet1). Occurred 67 times. [00011] 2005-02-14 12:01:13 [Root]system-critical-00033: Src IP session limit! From 192.168.197.75:1867 to 65.14.170.159:139, proto TCP (zone Trust, int ethernet1). Occurred 172 times. [00012] 2005-02-14 12:01:12 [Root]system-critical-00033: Src IP session limit! From 192.168.197.75:1259 to 64.113.32.60:53, proto UDP (zone Trust, int ethernet1). Occurred 1 times. [00013] 2005-02-14 12:01:12 [Root]system-critical-00033: Src IP session limit! From 192.168.197.75:4990 to 66.144.53.4:445, proto TCP (zone Trust, int ethernet1). Occurred 205 times. [00014] 2005-02-14 12:01:12 [Root]system-critical-00033: Src IP session limit! From 192.168.197.81:4308 to 61.130.226.16:445, proto TCP (zone Trust, int ethernet1). Occurred 87 times. [00015] 2005-02-14 12:01:11 [Root]system-critical-00033: Src IP session limit!

Answer : Came in on Monday Morning to find 3 Domain Controllers malfunctioning.

This really sounds like a virus to me. I recommend you download up to the second antivirus definitions from a secure and guaranteed clean workstation and place them on removable media. Then reboot one of the affected DCs and bring it up in safe mode W/O networking. Reinstall Norton on the DC and update the Virus defs from the removable media and do as thorough a scan as possible. If this doesn't fix anything start comparing the services running affected DCs with the services on DCs the are running fine. Also try capturing some network traffic to get a better idea of what all this network activity is. Keep me posted.

Random Solutions

DNS zone transfer failing

Mdaemon userlist.dat v9.5 passwords

Network Drive error to remote server

Reverse Lookups - Spam - DUN and DUL

Large File Copy Depletes Physical Memory

Restricting users from Sending and Receiving Internet Mail in Exchange 2003?

ISA NOT BLOCKING EBUDDY.COM

How to use OpenVPN to setup a proxy between two countries

Web and email hosting with 2 different hosts - how can it be done?