My Server is Polling Every IP Address

My SBS2003 server is polling every IP address and generating 100 to 200
network requests per second. This is bogging down everything. SNMP is not
installed and I cannot find the reason for the polling. I have stopped every
stoppable service and process without success. I have spent over 6 hours
searching for the cause of this constant poll.

Following is a dump of the Network Monitor for one line. I have noted the
MAC address of my server and the router with <<<<<--

19 0.080115 LOCAL 00045AEEB017 UDP Src Port: Unknown (35846); Dst Port:
Unknown (38293); Length = 24 (0x18) STAISBS1 192.171.39.47 IP
FRAME: Base frame properties
FRAME: Time of capture = 10/9/2006 1:55:10 PM
FRAME: Time delta from previous physical frame: 10014 microseconds
FRAME: Frame number: 19
FRAME: Total frame length: 58 bytes
FRAME: Capture frame length: 58 bytes
FRAME: Frame data: Number of data bytes remaining = 58 (0x003A)
ETHERNET: EType = Internet IP (IPv4)
ETHERNET: Destination address = 00045AEEB017 <<<<<--Gateway/Router
ETHERNET: 0....... = Individual address
ETHERNET: .0...... = Universally administered address
ETHERNET: Source address = 00A0C966E3ED <<<<<--SBS2003 Server
ETHERNET: .0...... = Universally administered address
ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
IP: Protocol = UDP - User Datagram; Packet ID = 47096; Total IP Length = 44;
Options = No Options
IP: Version = IPv4; Header Length = 20
IP: 0100.... = IP Version 4
IP: ....0101 = Header Length 20
IP: Type of Service = Normal Service
IP: 000..... = Precedence - Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: ......0. = Normal Monetary Cost
IP: Total Length = 44 (0x2C)
IP: Identification = 47096 (0xB7F8)
IP: Fragmentation Summary = 0 (0x0)
IP: .0.............. = May fragment datagram if necessary
IP: ..0............. = Last fragment in datagram
IP: ...0000000000000 = Fragment Offset 0 (0x0000)
IP: Time to Live = 32 (0x20)
IP: Protocol = UDP - User Datagram
IP: Checksum = 14440 (0x3868)
IP: Source Address = 192.168.1.222
IP: Destination Address = 192.171.39.47
UDP: Src Port: Unknown (35846); Dst Port: Unknown (38293); Length = 24 (0x18)
UDP: Source Port = 0x8C06
UDP: Destination Port = 0x9595
UDP: Total length = 24 (0x18)
UDP: UDP Checksum = 0x02AC
UDP: Data: Number of data bytes remaining = 16 (0x0010)
00000: 00 04 5A EE B0 17 00 A0 C9 66 E3 ED 08 00 45 00 ..Zî°.. ÉfãÃ*..E.
00010: 00 2C B7 F8 00 00 20 11 38 68 C0 A8 01 DE C0 AB .,·ø.. .8hÀ¨.ÞÀ«
00020: 27 2F 8C 06 95 95 00 18 02 AC 02 0A 00 C0 4C 44 '/Œ.••...¬...ÀLD
00030: 56 50 48 69 43 4D 00 00 00 00 VPHiCM....

I'd bet you're infected with something.

Find a copy of TCPView (www.sysinternals.com ?). It will show you all the
executables that have initiated network connections. See if you can find
something that doesn't belong there. Of course a good anti-virus product
and anti-spyware product would be good to use as well.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com



"A StanTech Associate" <(E-Mail Removed)> wrote
in message news:3EF44634-AC68-4EC9-AE87-(E-Mail Removed)...
> My SBS2003 server is polling every IP address and generating 100 to 200
> network requests per second. This is bogging down everything. SNMP is
> not
> installed and I cannot find the reason for the polling. I have stopped
> every
> stoppable service and process without success. I have spent over 6 hours
> searching for the cause of this constant poll.
>
> Following is a dump of the Network Monitor for one line. I have noted the
> MAC address of my server and the router with <<<<<--
>
> 19 0.080115 LOCAL 00045AEEB017 UDP Src Port: Unknown (35846); Dst Port:
> Unknown (38293); Length = 24 (0x18) STAISBS1 192.171.39.47 IP
> FRAME: Base frame properties
> FRAME: Time of capture = 10/9/2006 1:55:10 PM
> FRAME: Time delta from previous physical frame: 10014 microseconds
> FRAME: Frame number: 19
> FRAME: Total frame length: 58 bytes
> FRAME: Capture frame length: 58 bytes
> FRAME: Frame data: Number of data bytes remaining = 58 (0x003A)
> ETHERNET: EType = Internet IP (IPv4)
> ETHERNET: Destination address = 00045AEEB017 <<<<<--Gateway/Router
> ETHERNET: 0....... = Individual address
> ETHERNET: .0...... = Universally administered address
> ETHERNET: Source address = 00A0C966E3ED <<<<<--SBS2003 Server
> ETHERNET: .0...... = Universally administered address
> ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
> IP: Protocol = UDP - User Datagram; Packet ID = 47096; Total IP Length =
> 44;
> Options = No Options
> IP: Version = IPv4; Header Length = 20
> IP: 0100.... = IP Version 4
> IP: ....0101 = Header Length 20
> IP: Type of Service = Normal Service
> IP: 000..... = Precedence - Routine
> IP: ...0.... = Normal Delay
> IP: ....0... = Normal Throughput
> IP: .....0.. = Normal Reliability
> IP: ......0. = Normal Monetary Cost
> IP: Total Length = 44 (0x2C)
> IP: Identification = 47096 (0xB7F8)
> IP: Fragmentation Summary = 0 (0x0)
> IP: .0.............. = May fragment datagram if necessary
> IP: ..0............. = Last fragment in datagram
> IP: ...0000000000000 = Fragment Offset 0 (0x0000)
> IP: Time to Live = 32 (0x20)
> IP: Protocol = UDP - User Datagram
> IP: Checksum = 14440 (0x3868)
> IP: Source Address = 192.168.1.222
> IP: Destination Address = 192.171.39.47
> UDP: Src Port: Unknown (35846); Dst Port: Unknown (38293); Length = 24
> (0x18)
> UDP: Source Port = 0x8C06
> UDP: Destination Port = 0x9595
> UDP: Total length = 24 (0x18)
> UDP: UDP Checksum = 0x02AC
> UDP: Data: Number of data bytes remaining = 16 (0x0010)
> 00000: 00 04 5A EE B0 17 00 A0 C9 66 E3 ED 08 00 45 00 ..Zî°.. Éfãí..E.
> 00010: 00 2C B7 F8 00 00 20 11 38 68 C0 A8 01 DE C0 AB .,·ø.. .8hÀ¨.ÞÀ«
> 00020: 27 2F 8C 06 95 95 00 18 02 AC 02 0A 00 C0 4C 44 '/Œ.••...¬...ÀLD
> 00030: 56 50 48 69 43 4D 00 00 00 00 VPHiCM....
>
>
>
>

Thanks for your reply. I have Symantec Corporate v10.0 running on the server
as well as Spyware Doctor Enterprise. I have tried MS defender and other
stuff to try to detect a booger without success.

"Phillip Windell" wrote:

> I'd bet you're infected with something.
>
> Find a copy of TCPView (www.sysinternals.com ?). It will show you all the
> executables that have initiated network connections. See if you can find
> something that doesn't belong there. Of course a good anti-virus product
> and anti-spyware product would be good to use as well.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
> "A StanTech Associate" <(E-Mail Removed)> wrote
> in message news:3EF44634-AC68-4EC9-AE87-(E-Mail Removed)...
> > My SBS2003 server is polling every IP address and generating 100 to 200
> > network requests per second. This is bogging down everything. SNMP is
> > not
> > installed and I cannot find the reason for the polling. I have stopped
> > every
> > stoppable service and process without success. I have spent over 6 hours
> > searching for the cause of this constant poll.
> >
> > Following is a dump of the Network Monitor for one line. I have noted the
> > MAC address of my server and the router with <<<<<--
> >
> > 19 0.080115 LOCAL 00045AEEB017 UDP Src Port: Unknown (35846); Dst Port:
> > Unknown (38293); Length = 24 (0x18) STAISBS1 192.171.39.47 IP
> > FRAME: Base frame properties
> > FRAME: Time of capture = 10/9/2006 1:55:10 PM
> > FRAME: Time delta from previous physical frame: 10014 microseconds
> > FRAME: Frame number: 19
> > FRAME: Total frame length: 58 bytes
> > FRAME: Capture frame length: 58 bytes
> > FRAME: Frame data: Number of data bytes remaining = 58 (0x003A)
> > ETHERNET: EType = Internet IP (IPv4)
> > ETHERNET: Destination address = 00045AEEB017 <<<<<--Gateway/Router
> > ETHERNET: 0....... = Individual address
> > ETHERNET: .0...... = Universally administered address
> > ETHERNET: Source address = 00A0C966E3ED <<<<<--SBS2003 Server
> > ETHERNET: .0...... = Universally administered address
> > ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
> > IP: Protocol = UDP - User Datagram; Packet ID = 47096; Total IP Length =
> > 44;
> > Options = No Options
> > IP: Version = IPv4; Header Length = 20
> > IP: 0100.... = IP Version 4
> > IP: ....0101 = Header Length 20
> > IP: Type of Service = Normal Service
> > IP: 000..... = Precedence - Routine
> > IP: ...0.... = Normal Delay
> > IP: ....0... = Normal Throughput
> > IP: .....0.. = Normal Reliability
> > IP: ......0. = Normal Monetary Cost
> > IP: Total Length = 44 (0x2C)
> > IP: Identification = 47096 (0xB7F8)
> > IP: Fragmentation Summary = 0 (0x0)
> > IP: .0.............. = May fragment datagram if necessary
> > IP: ..0............. = Last fragment in datagram
> > IP: ...0000000000000 = Fragment Offset 0 (0x0000)
> > IP: Time to Live = 32 (0x20)
> > IP: Protocol = UDP - User Datagram
> > IP: Checksum = 14440 (0x3868)
> > IP: Source Address = 192.168.1.222
> > IP: Destination Address = 192.171.39.47
> > UDP: Src Port: Unknown (35846); Dst Port: Unknown (38293); Length = 24
> > (0x18)
> > UDP: Source Port = 0x8C06
> > UDP: Destination Port = 0x9595
> > UDP: Total length = 24 (0x18)
> > UDP: UDP Checksum = 0x02AC
> > UDP: Data: Number of data bytes remaining = 16 (0x0010)
> > 00000: 00 04 5A EE B0 17 00 A0 C9 66 E3 ED 08 00 45 00 ..Zî°.. ÉfãÃ*..E.
> > 00010: 00 2C B7 F8 00 00 20 11 38 68 C0 A8 01 DE C0 AB .,·ø.. .8hÀ¨.ÞÀ«
> > 00020: 27 2F 8C 06 95 95 00 18 02 AC 02 0A 00 C0 4C 44 '/Œ.••...¬...ÀLD
> > 00030: 56 50 48 69 43 4D 00 00 00 00 VPHiCM....
> >
> >
> >
> >
>
>
>

Did you check for rootkits? You can find RootkitRevealer on
www.sysinternals.com. If you can not find anything, are you sure it's not
hardware fault? Have you tried to change your network card?

Toni

"A StanTech Associate" <(E-Mail Removed)> wrote
in message news:CE55BBA5-26E7-42E3-81DD-(E-Mail Removed)...
> Thanks for your reply. I have Symantec Corporate v10.0 running on the
> server
> as well as Spyware Doctor Enterprise. I have tried MS defender and other
> stuff to try to detect a booger without success.
>
> "Phillip Windell" wrote:
>
>> I'd bet you're infected with something.
>>
>> Find a copy of TCPView (www.sysinternals.com ?). It will show you all
>> the
>> executables that have initiated network connections. See if you can find
>> something that doesn't belong there. Of course a good anti-virus product
>> and anti-spyware product would be good to use as well.
>>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>>
>>
>>
>> "A StanTech Associate" <(E-Mail Removed)>
>> wrote
>> in message news:3EF44634-AC68-4EC9-AE87-(E-Mail Removed)...
>> > My SBS2003 server is polling every IP address and generating 100 to 200
>> > network requests per second. This is bogging down everything. SNMP is
>> > not
>> > installed and I cannot find the reason for the polling. I have stopped
>> > every
>> > stoppable service and process without success. I have spent over 6
>> > hours
>> > searching for the cause of this constant poll.
>> >
>> > Following is a dump of the Network Monitor for one line. I have noted
>> > the
>> > MAC address of my server and the router with <<<<<--
>> >
>> > 19 0.080115 LOCAL 00045AEEB017 UDP Src Port: Unknown (35846); Dst Port:
>> > Unknown (38293); Length = 24 (0x18) STAISBS1 192.171.39.47 IP
>> > FRAME: Base frame properties
>> > FRAME: Time of capture = 10/9/2006 1:55:10 PM
>> > FRAME: Time delta from previous physical frame: 10014 microseconds
>> > FRAME: Frame number: 19
>> > FRAME: Total frame length: 58 bytes
>> > FRAME: Capture frame length: 58 bytes
>> > FRAME: Frame data: Number of data bytes remaining = 58 (0x003A)
>> > ETHERNET: EType = Internet IP (IPv4)
>> > ETHERNET: Destination address = 00045AEEB017
>> > <<<<<--Gateway/Router
>> > ETHERNET: 0....... = Individual address
>> > ETHERNET: .0...... = Universally administered address
>> > ETHERNET: Source address = 00A0C966E3ED <<<<<--SBS2003
>> > Server
>> > ETHERNET: .0...... = Universally administered address
>> > ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
>> > IP: Protocol = UDP - User Datagram; Packet ID = 47096; Total IP Length
>> > =
>> > 44;
>> > Options = No Options
>> > IP: Version = IPv4; Header Length = 20
>> > IP: 0100.... = IP Version 4
>> > IP: ....0101 = Header Length 20
>> > IP: Type of Service = Normal Service
>> > IP: 000..... = Precedence - Routine
>> > IP: ...0.... = Normal Delay
>> > IP: ....0... = Normal Throughput
>> > IP: .....0.. = Normal Reliability
>> > IP: ......0. = Normal Monetary Cost
>> > IP: Total Length = 44 (0x2C)
>> > IP: Identification = 47096 (0xB7F8)
>> > IP: Fragmentation Summary = 0 (0x0)
>> > IP: .0.............. = May fragment datagram if necessary
>> > IP: ..0............. = Last fragment in datagram
>> > IP: ...0000000000000 = Fragment Offset 0 (0x0000)
>> > IP: Time to Live = 32 (0x20)
>> > IP: Protocol = UDP - User Datagram
>> > IP: Checksum = 14440 (0x3868)
>> > IP: Source Address = 192.168.1.222
>> > IP: Destination Address = 192.171.39.47
>> > UDP: Src Port: Unknown (35846); Dst Port: Unknown (38293); Length = 24
>> > (0x18)
>> > UDP: Source Port = 0x8C06
>> > UDP: Destination Port = 0x9595
>> > UDP: Total length = 24 (0x18)
>> > UDP: UDP Checksum = 0x02AC
>> > UDP: Data: Number of data bytes remaining = 16 (0x0010)
>> > 00000: 00 04 5A EE B0 17 00 A0 C9 66 E3 ED 08 00 45 00 ..Zî°..
>> > Éfaí..E.
>> > 00010: 00 2C B7 F8 00 00 20 11 38 68 C0 A8 01 DE C0 AB .,.o..
>> > .8hA¨.?A<
>> > 00020: 27 2F 8C 06 95 95 00 18 02 AC 02 0A 00 C0 4C 44
>> > '/O......?...ALD
>> > 00030: 56 50 48 69 43 4D 00 00 00 00 VPHiCM....
>> >
>> >
>> >
>> >
>>
>>
>>

I am looking into this possibility...but this server is protected by NAV,
Spyware Doctor and others. It has never been unprotected since loaded 3
months ago. But...stuff happens. Thanks for the info on RootKitRevealer.

"T. Uranjek" wrote:

> Did you check for rootkits? You can find RootkitRevealer on
> www.sysinternals.com. If you can not find anything, are you sure it's not
> hardware fault? Have you tried to change your network card?
>
> Toni
>
> "A StanTech Associate" <(E-Mail Removed)> wrote
> in message news:CE55BBA5-26E7-42E3-81DD-(E-Mail Removed)...
> > Thanks for your reply. I have Symantec Corporate v10.0 running on the
> > server
> > as well as Spyware Doctor Enterprise. I have tried MS defender and other
> > stuff to try to detect a booger without success.
> >
> > "Phillip Windell" wrote:
> >
> >> I'd bet you're infected with something.
> >>
> >> Find a copy of TCPView (www.sysinternals.com ?). It will show you all
> >> the
> >> executables that have initiated network connections. See if you can find
> >> something that doesn't belong there. Of course a good anti-virus product
> >> and anti-spyware product would be good to use as well.
> >>
> >> --
> >> Phillip Windell [MCP, MVP, CCNA]
> >> www.wandtv.com
> >>
> >>
> >>
> >> "A StanTech Associate" <(E-Mail Removed)>
> >> wrote
> >> in message news:3EF44634-AC68-4EC9-AE87-(E-Mail Removed)...
> >> > My SBS2003 server is polling every IP address and generating 100 to 200
> >> > network requests per second. This is bogging down everything. SNMP is
> >> > not
> >> > installed and I cannot find the reason for the polling. I have stopped
> >> > every
> >> > stoppable service and process without success. I have spent over 6
> >> > hours
> >> > searching for the cause of this constant poll.
> >> >
> >> > Following is a dump of the Network Monitor for one line. I have noted
> >> > the
> >> > MAC address of my server and the router with <<<<<--
> >> >
> >> > 19 0.080115 LOCAL 00045AEEB017 UDP Src Port: Unknown (35846); Dst Port:
> >> > Unknown (38293); Length = 24 (0x18) STAISBS1 192.171.39.47 IP
> >> > FRAME: Base frame properties
> >> > FRAME: Time of capture = 10/9/2006 1:55:10 PM
> >> > FRAME: Time delta from previous physical frame: 10014 microseconds
> >> > FRAME: Frame number: 19
> >> > FRAME: Total frame length: 58 bytes
> >> > FRAME: Capture frame length: 58 bytes
> >> > FRAME: Frame data: Number of data bytes remaining = 58 (0x003A)
> >> > ETHERNET: EType = Internet IP (IPv4)
> >> > ETHERNET: Destination address = 00045AEEB017
> >> > <<<<<--Gateway/Router
> >> > ETHERNET: 0....... = Individual address
> >> > ETHERNET: .0...... = Universally administered address
> >> > ETHERNET: Source address = 00A0C966E3ED <<<<<--SBS2003
> >> > Server
> >> > ETHERNET: .0...... = Universally administered address
> >> > ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
> >> > IP: Protocol = UDP - User Datagram; Packet ID = 47096; Total IP Length
> >> > =
> >> > 44;
> >> > Options = No Options
> >> > IP: Version = IPv4; Header Length = 20
> >> > IP: 0100.... = IP Version 4
> >> > IP: ....0101 = Header Length 20
> >> > IP: Type of Service = Normal Service
> >> > IP: 000..... = Precedence - Routine
> >> > IP: ...0.... = Normal Delay
> >> > IP: ....0... = Normal Throughput
> >> > IP: .....0.. = Normal Reliability
> >> > IP: ......0. = Normal Monetary Cost
> >> > IP: Total Length = 44 (0x2C)
> >> > IP: Identification = 47096 (0xB7F8)
> >> > IP: Fragmentation Summary = 0 (0x0)
> >> > IP: .0.............. = May fragment datagram if necessary
> >> > IP: ..0............. = Last fragment in datagram
> >> > IP: ...0000000000000 = Fragment Offset 0 (0x0000)
> >> > IP: Time to Live = 32 (0x20)
> >> > IP: Protocol = UDP - User Datagram
> >> > IP: Checksum = 14440 (0x3868)
> >> > IP: Source Address = 192.168.1.222
> >> > IP: Destination Address = 192.171.39.47
> >> > UDP: Src Port: Unknown (35846); Dst Port: Unknown (38293); Length = 24
> >> > (0x18)
> >> > UDP: Source Port = 0x8C06
> >> > UDP: Destination Port = 0x9595
> >> > UDP: Total length = 24 (0x18)
> >> > UDP: UDP Checksum = 0x02AC
> >> > UDP: Data: Number of data bytes remaining = 16 (0x0010)
> >> > 00000: 00 04 5A EE B0 17 00 A0 C9 66 E3 ED 08 00 45 00 ..Zî°..
> >> > ÉfaÃ*..E.
> >> > 00010: 00 2C B7 F8 00 00 20 11 38 68 C0 A8 01 DE C0 AB .,.o..
> >> > .8hA¨.?A<
> >> > 00020: 27 2F 8C 06 95 95 00 18 02 AC 02 0A 00 C0 4C 44
> >> > '/O......?...ALD
> >> > 00030: 56 50 48 69 43 4D 00 00 00 00 VPHiCM....
> >> >
> >> >
> >> >
> >> >
> >>
> >>
> >>
>
>
>