|
Home > Archive > IIS Server Security > December 2004 > Verisign SSL Cert Stopped working after windows Updates
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Verisign SSL Cert Stopped working after windows Updates
|
|
| Paul -- Whitmont 2004-12-10, 5:54 pm |
| Hi all,
I have found lots of discussion groups about this, but no real answer that
relates to my problem... I'll try to be as descriptive as I can.
Here is the scenario.. 2 months ago, I bought an SSL certificate from
Versign.. Installed, setup and working without problem on a Windows 2000
Server SP4 Stand Alone (but in a domain).
Yesterday, I ran Windows Updates since its been a while and installed
roughly 31 Windows updates including the latest version of .net
After that, I rebooted server and logged in normally.. However, my users
reported they could no longer acccess the website we had on there..
Now, some details about the website.. Its a single IIS server with only one
site (excluding the administration site etc.) And again, it worked fine
before the windows updates.
I tested the page and I would get "Cannot find server or DNS Error".
If i removed the SSL requirement and the page would load fine.. Now I tried
removing and readding the certificate. Changing the SSL IP setup to
everything I could think of, and restarting IIS on top of that as described
in the various technet articles.
Here is what I get from SSLDiag
#WARNING:Handshake: 0x80090308 (-2146893048) error
So that tells me that the certificate can't create a handshake between the
client (in this case, the same server as the IIS box) and the Server.
Can anyone shed some light on this?
I've tried technet articles:
290051
260096
265847
324839
I also called Versign and had them doublecheck to make sure the certificate
was valid.. They saw nothing wrong with it.
Can anyone shed some light as to what might of happend by just running
windows updates?
| |
| Miha Pihler 2004-12-10, 8:47 pm |
| Hi Paul,
I could be way off, but can you check that this is not a problem:
Expiration of VeriSign Global Server ID Intermediate Root CA on 1/7/2004
http://www.verisign.com/support/ven...p-gsid-ssl.html
Intermediate CA Replacement Instructions
https://www.verisign.com/support/si...ement.html#iis5
Was one of the patches that you installed MS04-011?
I hope this helps :-)
Mike
"Paul -- Whitmont" <Paul -- Whitmont@discussions.microsoft.com> wrote in
message news:CC336D39-BE73-4B89-BAA1-6C63E77072D1@microsoft.com...
> Hi all,
>
> I have found lots of discussion groups about this, but no real answer that
> relates to my problem... I'll try to be as descriptive as I can.
>
> Here is the scenario.. 2 months ago, I bought an SSL certificate from
> Versign.. Installed, setup and working without problem on a Windows 2000
> Server SP4 Stand Alone (but in a domain).
>
> Yesterday, I ran Windows Updates since its been a while and installed
> roughly 31 Windows updates including the latest version of .net
>
> After that, I rebooted server and logged in normally.. However, my users
> reported they could no longer acccess the website we had on there..
>
> Now, some details about the website.. Its a single IIS server with only
> one
> site (excluding the administration site etc.) And again, it worked fine
> before the windows updates.
>
> I tested the page and I would get "Cannot find server or DNS Error".
>
> If i removed the SSL requirement and the page would load fine.. Now I
> tried
> removing and readding the certificate. Changing the SSL IP setup to
> everything I could think of, and restarting IIS on top of that as
> described
> in the various technet articles.
>
> Here is what I get from SSLDiag
>
> #WARNING:Handshake: 0x80090308 (-2146893048) error
>
> So that tells me that the certificate can't create a handshake between the
> client (in this case, the same server as the IIS box) and the Server.
>
> Can anyone shed some light on this?
>
> I've tried technet articles:
> 290051
> 260096
> 265847
> 324839
>
> I also called Versign and had them doublecheck to make sure the
> certificate
> was valid.. They saw nothing wrong with it.
>
> Can anyone shed some light as to what might of happend by just running
> windows updates?
| |
| Paul -- Whitmont 2004-12-10, 8:47 pm |
| Hey there..
I wish it were that easy.. I verified the CA from Versign is the latest and
not outdated..
In regards to your update.. I have applied all updates off Windows update
only.. It show 0 critical updates need to be installed..
"Miha Pihler" wrote:
> Hi Paul,
>
> I could be way off, but can you check that this is not a problem:
>
> Expiration of VeriSign Global Server ID Intermediate Root CA on 1/7/2004
> http://www.verisign.com/support/ven...p-gsid-ssl.html
>
> Intermediate CA Replacement Instructions
> https://www.verisign.com/support/si...ement.html#iis5
>
> Was one of the patches that you installed MS04-011?
>
> I hope this helps :-)
>
> Mike
>
> "Paul -- Whitmont" <Paul -- Whitmont@discussions.microsoft.com> wrote in
> message news:CC336D39-BE73-4B89-BAA1-6C63E77072D1@microsoft.com...
>
>
>
| |
| Miha Pihler 2004-12-10, 8:47 pm |
| Paul,
Can you check and make sure that there is no other application that would
want to listen on TCP port 443 (your SSL port).
If you need you can use tools TCP View from www.sysinternals.com to see
which services are running on which TCP port.
Mike
"Paul -- Whitmont" <PaulWhitmont@discussions.microsoft.com> wrote in message
news:E5659170-9A9A-4BDD-B631-2EF8FA02CB28@microsoft.com...[vbcol=seagreen]
> Hey there..
>
> I wish it were that easy.. I verified the CA from Versign is the latest
> and
> not outdated..
>
> In regards to your update.. I have applied all updates off Windows update
> only.. It show 0 critical updates need to be installed..
> "Miha Pihler" wrote:
>
| |
| Paul -- Whitmont 2004-12-11, 3:36 am |
| I did a netstat -n -a and got this line
TCP 0.0.0.0:443 0.0.0.0 LISTENING
I didn't see this in the viewer you suggested.
I do not have the SSL cert on any website, but it is loaded..
Would that suggest anything to you?
Thanks so much!
"Miha Pihler" wrote:
> Paul,
>
> Can you check and make sure that there is no other application that would
> want to listen on TCP port 443 (your SSL port).
>
> If you need you can use tools TCP View from www.sysinternals.com to see
> which services are running on which TCP port.
>
> Mike
>
> "Paul -- Whitmont" <PaulWhitmont@discussions.microsoft.com> wrote in message
> news:E5659170-9A9A-4BDD-B631-2EF8FA02CB28@microsoft.com...
>
>
>
| |
| Miha Pihler 2004-12-11, 8:36 am |
| Paul,
With netstat you only see that there is _something_ listening on 443 port.
What we need to figure out is what. Is it IIS or something else...
Can you run this
tcpvcon.exe -a
from command line on your server. Tcpvcon is another tool in TCP View
package from Sysinternals.
Mike
"Paul -- Whitmont" <PaulWhitmont@discussions.microsoft.com> wrote in message
news:1F46015E-6250-4EA8-BC27-B6575F03CB34@microsoft.com...[vbcol=seagreen]
>I did a netstat -n -a and got this line
>
> TCP 0.0.0.0:443 0.0.0.0 LISTENING
>
> I didn't see this in the viewer you suggested.
> I do not have the SSL cert on any website, but it is loaded..
>
> Would that suggest anything to you?
>
> Thanks so much!
>
> "Miha Pihler" wrote:
>
| |
| Leon Mayne [MVP] 2004-12-13, 8:38 am |
| Paul -- Whitmont wrote:
> #WARNING:Handshake: 0x80090308 (-2146893048) error
>
> So that tells me that the certificate can't create a handshake
> between the client (in this case, the same server as the IIS box) and
> the Server.
Is it possible your private key became corrupted? Do you have a backup of
the entire cert (including private key) you could restore from?
| |
| Paul -- Whitmont 2004-12-13, 6:38 pm |
| Ran the command. we're on the right track.. i found a copy of iftpd running
on the system which was on the https service.. killed that but still no go..
here is the text file.. hopefully you notice something I don't.
[TCP] C:\WINNT\System32\inetsrv\inetinfo.exe
PID: 4112
State: LISTENING
Local: support:smtp
Remote: support:0
[TCP] C:\WINNT\System32\inetsrv\inetinfo.exe
PID: 4112
State: LISTENING
Local: support:http
Remote: support:0
[TCP] C:\WINNT\system32\svchost.exe
PID: 428
State: LISTENING
Local: support:epmap
Remote: support:0
[TCP] System
PID: 8
State: LISTENING
Local: support:microsoft-ds
Remote: support:0
[TCP] C:\WINNT\System32\msdtc.exe
PID: 568
State: LISTENING
Local: support:1040
Remote: support:0
[TCP] C:\WINNT\system32\MSTask.exe
PID: 1420
State: LISTENING
Local: support:1075
Remote: support:0
[TCP] C:\PROGRA~1\LANDesk\MANAGE~1\apmservice.exe
PID: 704
State: LISTENING
Local: support:1107
Remote: support:0
[TCP] C:\Program Files\LANDesk\ManagementSuite\SchedSvc.exe
PID: 988
State: LISTENING
Local: support:1108
Remote: support:0
[TCP] System
PID: 8
State: LISTENING
Local: support:1116
Remote: support:0
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlagent
.exe
PID: 2548
State: LISTENING
Local: support:1153
Remote: support:0
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlagent
.exe
PID: 2548
State: LISTENING
Local: support:1170
Remote: support:0
[TCP] c:\program files\landesk\managementsuite\devicemoni
tor.exe
PID: 2596
State: LISTENING
Local: support:1266
Remote: support:0
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: LISTENING
Local: support:ms-sql-s
Remote: support:0
[TCP] C:\WINNT\system32\svchost.exe
PID: 2184
State: LISTENING
Local: support:1730
Remote: support:0
[TCP] C:\WINNT\system32\svchost.exe
PID: 2184
State: LISTENING
Local: support:1732
Remote: support:0
[TCP] C:\WINNT\system32\svchost.exe
PID: 2184
State: LISTENING
Local: support:1736
Remote: support:0
[TCP] C:\LDClient\wuser32.exe
PID: 2196
State: LISTENING
Local: support:1761
Remote: support:0
[TCP] C:\LDClient\wuser32.exe
PID: 2196
State: LISTENING
Local: support:1762
Remote: support:0
[TCP] C:\WINNT\TIREMOTE\wuser32.exe
PID: 1744
State: LISTENING
Local: support:1765
Remote: support:0
[TCP] C:\WINNT\TIREMOTE\wuser32.exe
PID: 1744
State: LISTENING
Local: support:1766
Remote: support:0
[TCP] c:\program
files\landesk\managementsuite\landesk.managementsuite.licensing.activationservice.exe
PID: 1036
State: LISTENING
Local: support:2199
Remote: support:0
[TCP] C:\WINNT\System32\inetsrv\inetinfo.exe
PID: 4112
State: LISTENING
Local: support:2484
Remote: support:0
[TCP] C:\WINNT\System32\inetsrv\inetinfo.exe
PID: 4112
State: LISTENING
Local: support:2528
Remote: support:0
[TCP] C:\Program Files\Intuit\Track-It! 6.5\Monitor\TIMonitor.exe
PID: 3864
State: LISTENING
Local: support:2971
Remote: support:0
[TCP] C:\WINNT\System32\msdtc.exe
PID: 568
State: LISTENING
Local: support:3372
Remote: support:0
[TCP] C:\Program Files\LANDesk\ManagementSuite\qipsrvr.exe
PID: 2660
State: LISTENING
Local: support:4113
Remote: support:0
[TCP] C:\Program Files\LANDesk\ManagementSuite\qipsrvr.exe
PID: 2660
State: LISTENING
Local: support:4115
Remote: support:0
[TCP] System
PID: 8
State: LISTENING
Local: support:4131
Remote: support:0
[TCP] C:\WINNT\system32\lsass.exe
PID: 252
State: LISTENING
Local: support:4318
Remote: support:0
[TCP] C:\WINNT\System32\inetsrv\inetinfo.exe
PID: 4112
State: LISTENING
Local: support:4320
Remote: support:0
[TCP] C:\WINNT\System32\inetsrv\inetinfo.exe
PID: 4112
State: LISTENING
Local: support:4460
Remote: support:0
[TCP] C:\WINNT\System32\inetsrv\inetinfo.exe
PID: 4112
State: LISTENING
Local: support:5557
Remote: support:0
[TCP] C:\Program Files\Symantec\pcAnywhere\awhost32.exe
PID: 724
State: LISTENING
Local: support:5631
Remote: support:0
[TCP] C:\Program Files\Sonic Mobility\sonicadmin\service manager\SAService.exe
PID: 1544
State: LISTENING
Local: support:8168
Remote: support:0
[TCP] C:\Program Files\LANDesk\Shared Files\residentagent.exe
PID: 752
State: LISTENING
Local: support:9593
Remote: support:0
[TCP] C:\Program Files\LANDesk\Shared Files\residentagent.exe
PID: 752
State: LISTENING
Local: support:9594
Remote: support:0
[TCP] C:\Program Files\LANDesk\Shared Files\residentagent.exe
PID: 752
State: LISTENING
Local: support:9595
Remote: support:0
[TCP] C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
PID: 2228
State: LISTENING
Local: support:10000
Remote: support:0
[TCP] C:\Program Files\LANDesk\ManagementSuite\qipsrvr.exe
PID: 2660
State: LISTENING
Local: support:12175
Remote: support:0
[TCP] C:\PROGRA~1\LANDesk\MANAGE~1\apmservice.exe
PID: 704
State: LISTENING
Local: support:12176
Remote: support:0
[TCP] C:\LDClient\tmcsvc.exe
PID: 1008
State: LISTENING
Local: support:33354
Remote: support:0
[TCP] C:\WINNT\system32\MsgSys.EXE
PID: 1936
State: LISTENING
Local: support:38292
Remote: support:0
[TCP] C:\Program Files\LANDesk\Shared Files\residentagent.exe
PID: 752
State: LISTENING
Local: support:1051
Remote: support:0
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:http
Remote: gregm:2670
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:http
Remote: mikew:1216
[TCP] System
PID: 8
State: LISTENING
Local: support.whitmont.com:netbios-ssn
Remote: support:0
[TCP] System
PID: 8
State: ESTABLISHED
Local: support.whitmont.com:microsoft-ds
Remote: paulbee:1123
[TCP] System
PID: 8
State: ESTABLISHED
Local: support.whitmont.com:microsoft-ds
Remote: mcady:3066
[TCP] System
PID: 8
State: ESTABLISHED
Local: support.whitmont.com:microsoft-ds
Remote: gregm:4813
[TCP] System
PID: 8
State: ESTABLISHED
Local: support.whitmont.com:microsoft-ds
Remote: prosenberg:4274
[TCP] C:\PROGRA~1\LANDesk\MANAGE~1\apmservice.exe
PID: 704
State: ESTABLISHED
Local: support.whitmont.com:1107
Remote: support.whitmont.com:ms-sql-s
[TCP] C:\Program Files\LANDesk\ManagementSuite\SchedSvc.exe
PID: 988
State: ESTABLISHED
Local: support.whitmont.com:1108
Remote: support.whitmont.com:ms-sql-s
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlagent
.exe
PID: 2548
State: ESTABLISHED
Local: support.whitmont.com:1153
Remote: support.whitmont.com:ms-sql-s
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlagent
.exe
PID: 2548
State: ESTABLISHED
Local: support.whitmont.com:1170
Remote: support.whitmont.com:ms-sql-s
[TCP] c:\program files\landesk\managementsuite\devicemoni
tor.exe
PID: 2596
State: ESTABLISHED
Local: support.whitmont.com:1266
Remote: support.whitmont.com:ms-sql-s
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: ESTABLISHED
Local: support.whitmont.com:ms-sql-s
Remote: support.whitmont.com:1107
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: ESTABLISHED
Local: support.whitmont.com:ms-sql-s
Remote: support.whitmont.com:1108
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: ESTABLISHED
Local: support.whitmont.com:ms-sql-s
Remote: support.whitmont.com:1153
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: ESTABLISHED
Local: support.whitmont.com:ms-sql-s
Remote: support.whitmont.com:1170
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: ESTABLISHED
Local: support.whitmont.com:ms-sql-s
Remote: support.whitmont.com:1266
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: ESTABLISHED
Local: support.whitmont.com:ms-sql-s
Remote: support.whitmont.com:2199
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: ESTABLISHED
Local: support.whitmont.com:ms-sql-s
Remote: support.whitmont.com:2484
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: ESTABLISHED
Local: support.whitmont.com:ms-sql-s
Remote: support.whitmont.com:2528
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: ESTABLISHED
Local: support.whitmont.com:ms-sql-s
Remote: support.whitmont.com:2971
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: ESTABLISHED
Local: support.whitmont.com:ms-sql-s
Remote: support.whitmont.com:4113
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: ESTABLISHED
Local: support.whitmont.com:ms-sql-s
Remote: support.whitmont.com:4115
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: ESTABLISHED
Local: support.whitmont.com:ms-sql-s
Remote: support.whitmont.com:4320
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: ESTABLISHED
Local: support.whitmont.com:ms-sql-s
Remote: paulbee:1122
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: ESTABLISHED
Local: support.whitmont.com:ms-sql-s
Remote: paulbee:1125
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: ESTABLISHED
Local: support.whitmont.com:ms-sql-s
Remote: mcady:3072
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: ESTABLISHED
Local: support.whitmont.com:ms-sql-s
Remote: mcady:3077
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: ESTABLISHED
Local: support.whitmont.com:ms-sql-s
Remote: gregm:4812
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: ESTABLISHED
Local: support.whitmont.com:ms-sql-s
Remote: gregm:4817
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: ESTABLISHED
Local: support.whitmont.com:ms-sql-s
Remote: prosenberg:4280
[TCP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
State: ESTABLISHED
Local: support.whitmont.com:ms-sql-s
Remote: prosenberg:4281
[TCP] c:\program
files\landesk\managementsuite\landesk.managementsuite.licensing.activationservice.exe
PID: 1036
State: ESTABLISHED
Local: support.whitmont.com:2199
Remote: support.whitmont.com:ms-sql-s
[TCP] C:\WINNT\System32\inetsrv\inetinfo.exe
PID: 4112
State: ESTABLISHED
Local: support.whitmont.com:2484
Remote: support.whitmont.com:ms-sql-s
[TCP] C:\WINNT\System32\inetsrv\inetinfo.exe
PID: 4112
State: ESTABLISHED
Local: support.whitmont.com:2528
Remote: support.whitmont.com:ms-sql-s
[TCP] C:\Program Files\Intuit\Track-It! 6.5\Monitor\TIMonitor.exe
PID: 3864
State: ESTABLISHED
Local: support.whitmont.com:2971
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4022
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4024
Remote: support.whitmont.com:ms-sql-s
[TCP] C:\Program Files\LANDesk\ManagementSuite\qipsrvr.exe
PID: 2660
State: ESTABLISHED
Local: support.whitmont.com:4113
Remote: support.whitmont.com:ms-sql-s
[TCP] C:\Program Files\LANDesk\ManagementSuite\qipsrvr.exe
PID: 2660
State: ESTABLISHED
Local: support.whitmont.com:4115
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: ESTABLISHED
Local: support.whitmont.com:4131
Remote: bdcla:microsoft-ds
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4253
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4256
Remote: bdns:1025
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4272
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4273
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4278
Remote: 208.185.101.176.available:http
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4304
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4305
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4306
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4307
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4308
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4309
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4310
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4311
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4312
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4313
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4316
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4317
Remote: bdns:epmap
[TCP] C:\WINNT\system32\lsass.exe
PID: 252
State: ESTABLISHED
Local: support.whitmont.com:4318
Remote: bdns:1025
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4319
Remote: support.whitmont.com:ms-sql-s
[TCP] C:\WINNT\System32\inetsrv\inetinfo.exe
PID: 4112
State: ESTABLISHED
Local: support.whitmont.com:4320
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4321
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4322
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4323
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4333
Remote: support.whitmont.com:ms-sql-s
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4334
Remote: pdns:epmap
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4335
Remote: pdns:1025
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4336
Remote: pdns:1025
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4339
Remote: exchange:epmap
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4340
Remote: exchange:1168
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4342
Remote: pdns:epmap
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4343
Remote: pdns:1025
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4344
Remote: pdns:1025
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4347
Remote: exchange:epmap
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4348
Remote: exchange:1168
[TCP] System
PID: 8
State: TIME_WAIT
Local: support.whitmont.com:4350
Remote: support.whitmont.com:ms-sql-s
[TCP] C:\PROGRA~1\LANDesk\MANAGE~1\apmservice.exe
PID: 704
State: SYN_RCVD
Local: support.whitmont.com:12176
Remote: dcprod8:1379
[UDP] C:\WINNT\system32\svchost.exe
PID: 428
Local: support:epmap
Remote: *:*
[UDP] System
PID: 8
Local: support:microsoft-ds
Remote: *:*
[UDP] C:\WINNT\system32\lsass.exe
PID: 252
Local: support:1027
Remote: *:*
[UDP] \??\C:\WINNT\system32\winlogon.exe
PID: 188
Local: support:1045
Remote: *:*
[UDP] C:\WINNT\system32\spoolsv.exe
PID: 524
Local: support:1071
Remote: *:*
[UDP] C:\WINNT\TIREMOTE\wuser32.exe
PID: 1744
Local: support:1093
Remote: *:*
[UDP] C:\WINNT\system32\spoolsv.exe
PID: 524
Local: support:1179
Remote: *:*
[UDP] C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr
.exe
PID: 1272
Local: support:ms-sql-m
Remote: *:*
[UDP] C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
PID: 1368
Local: support:2967
Remote: *:*
[UDP] C:\WINNT\System32\inetsrv\inetinfo.exe
PID: 4112
Local: support:3456
Remote: *:*
[UDP] C:\Program Files\Sonic Mobility\sonicadmin\service manager\SAService.exe
PID: 1544
Local: support:3586
Remote: *:*
[UDP] C:\WINNT\System32\inetsrv\inetinfo.exe
PID: 4112
Local: support:4464
Remote: *:*
[UDP] C:\Program Files\LANDesk\Shared Files\residentagent.exe
PID: 752
Local: support:9595
Remote: *:*
[UDP] C:\LDClient\tmcsvc.exe
PID: 1008
Local: support:33354
Remote: *:*
[UDP] C:\LDClient\tmcsvc.exe
PID: 1008
Local: support:33355
Remote: *:*
[UDP] C:\WINNT\system32\MsgSys.EXE
PID: 1936
Local: support:38037
Remote: *:*
[UDP] C:\WINNT\system32\cba\pds.exe
PID: 940
Local: support:38293
Remote: *:*
[UDP] C:\Program Files\Internet Explorer\iexplore.exe
PID: 3668
Local: support:3997
Remote: *:*
[UDP] System
PID: 8
Local: support.whitmont.com:netbios-ns
Remote: *:*
[UDP] System
PID: 8
Local: support.whitmont.com:netbios-dgm
Remote: *:*
[UDP] C:\WINNT\system32\lsass.exe
PID: 252
Local: support.whitmont.com:isakmp
Remote: *:*
[UDP] C:\Program Files\Symantec\pcAnywhere\awhost32.exe
PID: 724
Local: support.whitmont.com:5632
Remote: *:*
"Miha Pihler" wrote:
> Paul,
>
> With netstat you only see that there is _something_ listening on 443 port.
> What we need to figure out is what. Is it IIS or something else...
>
> Can you run this
>
> tcpvcon.exe -a
>
> from command line on your server. Tcpvcon is another tool in TCP View
> package from Sysinternals.
>
> Mike
>
> "Paul -- Whitmont" <PaulWhitmont@discussions.microsoft.com> wrote in message
> news:1F46015E-6250-4EA8-BC27-B6575F03CB34@microsoft.com...
>
>
>
| |
| Miha Pihler 2004-12-13, 6:38 pm |
| Paul,
I hope that "iftpd" was there for a good reason and not because your server
was hacked...
In your log that you posted I can't find anything listening on 443. Can you
configure now your IIS with SSL and make sure that SSL port has 443 entered.
If necessary, restart IIS services and try to connect to your site on https
address.
If it doesn't work run
tcpvcon.exe -a
again.
Mike
"Paul -- Whitmont" <PaulWhitmont@discussions.microsoft.com> wrote in message
news:54378CF8-233D-4AB6-A832-E28A8D7F307A@microsoft.com...
> Ran the command. we're on the right track.. i found a copy of iftpd
> running
> on the system which was on the https service.. killed that but still no
> go..
> here is the text file.. hopefully you notice something I don't.
<snip>
| |
| Paul -- Whitmont 2004-12-14, 6:41 pm |
| That IFTP was NOT there for a good reason.. soon as I saw it, I removed it,
rebooted and problem was resolved!!
That tool did the trick.. thank you so much for your help!
"Miha Pihler" wrote:
> Paul,
>
>
>
> I hope that "iftpd" was there for a good reason and not because your server
> was hacked...
>
>
>
> In your log that you posted I can't find anything listening on 443. Can you
> configure now your IIS with SSL and make sure that SSL port has 443 entered.
> If necessary, restart IIS services and try to connect to your site on https
> address.
>
>
>
> If it doesn't work run
>
>
>
> tcpvcon.exe -a
>
>
>
> again.
>
>
>
> Mike
>
>
> "Paul -- Whitmont" <PaulWhitmont@discussions.microsoft.com> wrote in message
> news:54378CF8-233D-4AB6-A832-E28A8D7F307A@microsoft.com...
>
> <snip>
>
>
>
|
|
|
|
|