IIS Server Security - mstask.exe

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > June 2004 > mstask.exe





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author mstask.exe
Brian

2004-06-29, 5:55 pm

We are running a w2k webserver, everytime the server is rebooted mstask.exe
runs on port 80 which will not allow the website to restart. I have to us a
tcp viewer and end the process of mstask.exe. I can't see what is calling
mstask on start up to run on port 80. Any suggestions?


Ken Schaefer

2004-06-30, 3:37 am

Sounds like your machine has been compromised. Consider restoring from known
good backups.

Additionally:
a) run anti-virus software
b) run anti-spyware software (such as AdAware - www.lavasoftusa.com)
c) check server for unpatched vulnerbailities:
http://www.microsoft.com/technet/se...s/mbsahome.mspx

THe process itself could be started from a number of locations (Start
Menu -> Startup group), registry (Run keys), and so forth. Another process
might restore it even if it's removed.

Personally I'd be quiet worried about the situation...

Cheers
Ken


"Brian" <bwoodall@xpresssource.com> wrote in message
news:ecyRw3gXEHA.1128@TK2MSFTNGP10.phx.gbl...
: We are running a w2k webserver, everytime the server is rebooted
mstask.exe
: runs on port 80 which will not allow the website to restart. I have to us
a
: tcp viewer and end the process of mstask.exe. I can't see what is calling
: mstask on start up to run on port 80. Any suggestions?
:
:


Paul Lynch

2004-06-30, 3:37 am

On Tue, 29 Jun 2004 14:19:00 -0500, "Brian"
<bwoodall@xpresssource.com> wrote:

>We are running a w2k webserver, everytime the server is rebooted mstask.exe
>runs on port 80 which will not allow the website to restart. I have to us a
>tcp viewer and end the process of mstask.exe. I can't see what is calling
>mstask on start up to run on port 80. Any suggestions?
>

Brian,

The real mstask.exe is the Windows task scheduler process and would
not be listening on port 80. This process running on your machine
sounds very suspect. In addition to ken's suggestions try running
Sysinternals Autoruns to determine where this rogue process is being
called from at startup.

http://www.sysinternals.com/ntw2k/f.../autoruns.shtml


Regards,

Paul Lynch
MCSE
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com