Running a company as a reseller web host, you’ll often receive an email from your upstream provider reporting security violations. If you do not correct the problem in a timely manner, your upstream provider may block inbound and outbound traffic from the affected server.
Today, we received a security report from Savvis indicating that one of our Windows 2003 server is sweeping TCP port 445. This obviously violates their “Acceptance Use Policy”. Here is the snippet of their log entry.
22:11:55 [IP ADDRESS HIDDEN] 0.0.0.0 [TCP-SWEEP]
TCP sweeping is a scanning of TCP port, in this case port 445. Since our client has no idea about TCP sweep, chances are the server is running a malicious code. The machine is either compromised, or someone unknowingly installed a malicious 3rd-party software. Regardless, the server is running a unwanted software which attacks other servers.
The best way to resolve this issue is to rebuild the OS, and restore the system back to a healthy state. It is a good idea to look at the software that are installed on the system, and determine the root cause of the compromise and prevent it from happening again.