Ah, Try tcpview from sysinternals On 3/24/06, Matthew Shrewsbury <MShrewsbury@xxxxxxxxxxxxxxx> wrote: > > Good idea but only works on W2K3 or XP. > > > > *Matthew Shrewsbury, *MCSE+Internet MCSE 2000 CCA Server+ > > Network Manager > > -----Original Message----- > *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *thinlist@xxxxxxxxx > *Sent:* Friday, March 24, 2006 5:56 AM > *To:* thin@xxxxxxxxxxxxx > *Subject:* [THIN] Re: Known ICA vulnerabilities? > > > > use the -b flag of nestat to tell you the process assocated with those > connections. > > On 3/23/06, *Matthew Shrewsbury* <MShrewsbury@xxxxxxxxxxxxxxx> wrote: > > Hmmm this seems a little odd to me. Seems to be connecting to itself? Is > this normal? I'm seeing this on both Citrix servers. > > TCP APP-02:1255 > APP-02.COSCANHOMES.COM:9742<http://app-02.coscanhomes.com:9742/> > ESTABLISHED > TCP APP-02:1256 APP-02.COSCANHOMES.COM:1494 > <http://app-02.coscanhomes.com:1494/> ESTABLISHED > TCP APP-02:1321 > APP-02.COSCANHOMES.COM:9742<http://app-02.coscanhomes.com:9742/> > ESTABLISHED > TCP APP-02:1322 APP-02.COSCANHOMES.COM:1494 > <http://app-02.coscanhomes.com:1494/> ESTABLISHED > TCP APP-02:1344 > APP-02.COSCANHOMES.COM:9742<http://app-02.coscanhomes.com:9742/> > ESTABLISHED > TCP APP-02:1345 APP-02.COSCANHOMES.COM:1494 > <http://app-02.coscanhomes.com:1494/> ESTABLISHED > TCP APP-02:1359 > APP-02.COSCANHOMES.COM:9742<http://app-02.coscanhomes.com:9742/> > ESTABLISHED > TCP APP-02:1360 APP-02.COSCANHOMES.COM:1494 > <http://app-02.coscanhomes.com:1494/> ESTABLISHED > TCP APP-02:1494 > APP-02.COSCANHOMES.COM:1256<http://app-02.coscanhomes.com:1256/> > ESTABLISHED > TCP APP-02:1494 APP-02.COSCANHOMES.COM:1322 > <http://app-02.coscanhomes.com:1322/> ESTABLISHED > TCP APP-02:1494 > APP-02.COSCANHOMES.COM:1345<http://app-02.coscanhomes.com:1345/> > ESTABLISHED > TCP APP-02:1494 APP-02.COSCANHOMES.COM:1360 > <http://app-02.coscanhomes.com:1360/> ESTABLISHED > TCP APP-02:1494 > APP-02.COSCANHOMES.COM:1645<http://app-02.coscanhomes.com:1645/> > ESTABLISHED > TCP APP-02:1494 APP-02.COSCANHOMES.COM:1654 > <http://app-02.coscanhomes.com:1654/> ESTABLISHED > TCP APP-02:1494 > APP-02.COSCANHOMES.COM:1726<http://app-02.coscanhomes.com:1726/> > ESTABLISHED > TCP APP-02:1494 APP-02.COSCANHOMES.COM:1739 > <http://app-02.coscanhomes.com:1739/> ESTABLISHED > TCP APP-02:1643 > APP-02.COSCANHOMES.COM:9742<http://app-02.coscanhomes.com:9742/> > ESTABLISHED > TCP APP-02:1644 APP-02.COSCANHOMES.COM:9742 > <http://app-02.coscanhomes.com:9742/> ESTABLISHED > TCP APP-02:1645 > APP-02.COSCANHOMES.COM:1494<http://app-02.coscanhomes.com:1494/> > ESTABLISHED > TCP APP-02:1653 APP-02.COSCANHOMES.COM:9742 > <http://app-02.coscanhomes.com:9742/> ESTABLISHED > TCP APP-02:1654 > APP-02.COSCANHOMES.COM:1494<http://app-02.coscanhomes.com:1494/> > ESTABLISHED > TCP APP-02:1725 APP-02.COSCANHOMES.COM:9742 > <http://app-02.coscanhomes.com:9742/> ESTABLISHED > TCP APP-02:1726 > APP-02.COSCANHOMES.COM:1494<http://app-02.coscanhomes.com:1494/> > ESTABLISHED > TCP APP-02:1738 APP-02.COSCANHOMES.COM:9742 > <http://app-02.coscanhomes.com:9742/> ESTABLISHED > TCP APP-02:1739 > APP-02.COSCANHOMES.COM:1494<http://app-02.coscanhomes.com:1494/> > ESTABLISHED > TCP APP-02:9742 APP-02.COSCANHOMES.COM:1255 > <http://app-02.coscanhomes.com:1255/> ESTABLISHED > TCP APP-02:9742 > APP-02.COSCANHOMES.COM:1321<http://app-02.coscanhomes.com:1321/> > ESTABLISHED > TCP APP-02:9742 APP-02.COSCANHOMES.COM:1344 > <http://app-02.coscanhomes.com:1344/> ESTABLISHED > TCP APP-02:9742 > APP-02.COSCANHOMES.COM:1359<http://app-02.coscanhomes.com:1359/> > ESTABLISHED > TCP APP-02:9742 APP-02.COSCANHOMES.COM:1643 > <http://app-02.coscanhomes.com:1643/> ESTABLISHED > TCP APP-02:9742 > APP-02.COSCANHOMES.COM:1644<http://app-02.coscanhomes.com:1644/> > ESTABLISHED > TCP APP-02:9742 APP-02.COSCANHOMES.COM:1653 > <http://app-02.coscanhomes.com:1653/> ESTABLISHED > TCP APP-02:9742 > APP-02.COSCANHOMES.COM:1725<http://app-02.coscanhomes.com:1725/> > ESTABLISHED > TCP APP-02:9742 APP-02.COSCANHOMES.COM:1738 > <http://app-02.coscanhomes.com:1738/> ESTABLISHED > > Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA Server+ > Network Manager > -----Original Message----- > From: thin-bounce@xxxxxxxxxxxxx [mailto: thin-bounce@xxxxxxxxxxxxx] On > Behalf Of Steve Parr > Sent: Thursday, March 23, 2006 2:25 PM > To: Thinlist > Subject: [THIN] Re: Known ICA vulnerabilities? > > Matthew meant to say run 'NETSTAT' from the command line. > > > -----Original Message----- > From: Steve Parr <sparr@xxxxxxxxxxxxx> > Date: Thu, 23 Mar 2006 14:41:00 > To:"'thin@xxxxxxxxxxxxx '" <thin@xxxxxxxxxxxxx> > Subject: [THIN] Re: Known ICA vulnerabilities? > > Run an online scan like Trend Micro - maybe your Virus program is not > working properly and your infected. > > Also do some spyware scans. > > If you run NETSAT from command line can see if servers are trying to > connect to somewhere they should'nt be or if something is coming inbound > that should not be. > > When your servers are runing fine would be good time to run the scans. > > > > -----Original Message----- > From: Matthew Shrewsbury [mailto:MShrewsbury@xxxxxxxxxxxxxxx] > Sent: Thursday, March 23, 2006 2:22 PM > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: Known ICA vulnerabilities? > > > > That's the problem, when the system starts going slow I can't see what > processes are running. I managed to get Task Manager up one time but all I > could see what the CPU and it pretty much froze when I tried to look at the > tasks. > > > > > Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA Server+ > > Network Manager > > -----Original Message----- > From: thin-bounce@xxxxxxxxxxxxx [mailto: thin-bounce@xxxxxxxxxxxxx] On > Behalf Of Steve Parr > Sent: Thursday, March 23, 2006 2:17 PM > To: 'thin@xxxxxxxxxxxxx' > Subject: [THIN] Re: Known ICA vulnerabilities? > > > > Do a packet sniff on the LAN to see if anything out of the ordinary. > > What processes can you see running on the Citrix boxes when it slows down? > > > > -----Original Message----- > From: Matthew Shrewsbury [mailto: MShrewsbury@xxxxxxxxxxxxxxx] > Sent: Thursday, March 23, 2006 1:59 PM > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: Known ICA vulnerabilities? > > > > He worked mostly on PCs and LAN and had no access to routers. I found that > when the problem occurs that unplugging the server from the network doesn't > make any difference. It still grinds to a hault with no CPU or disk > activity. > > > > Thanks for the into! > > > Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA Server+ > > Network Manager > > -----Original Message----- > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On > Behalf Of Steve Parr > Sent: Thursday, March 23, 2006 1:59 PM > To: 'thin@xxxxxxxxxxxxx' > Subject: [THIN] Re: Known ICA vulnerabilities? > > > > What did he work on? > > Maybe switches\routing? Perhaps he has created problems by rearranging the > uplinks or maybe a conflict with 10/100 vs Gb ports\switches\nics. > > Maybe ACLs created on routers or some other fudging. Had that happen > recently at a site where jr. tech created loop by incorrectly placed uplink > and same thing where the Citrix servers at that site where up and down till > someone discovered the mistake. > > > > -----Original Message----- > From: Matthew Shrewsbury [mailto:MShrewsbury@xxxxxxxxxxxxxxx] > Sent: Thursday, March 23, 2006 1:36 PM > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Known ICA vulnerabilities? > > > > We had a Network Engineer leave (not on good terms) and since then I've > been experiencing problems with our Citrix servers locking up. Maybe I'm > just paranoid but the problem started happening right after he left and > generally occurs between 10am and noon (never had problems before this). It > doesn't happen everyday but has occurred on both of our servers (win2K > SP4/PS4). The server seems to just go slow with no disk or CPU utilization. > > > > Are there any known ICA vulnerabilities? Both of these servers have port > 1494 open facing the Internet. Any suggestions would be most helpful as I > can't get on the server to diagnose when the problem occurs and all logs > show things are normal. > > > > Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA Server+ > > Network Manager > > > ŠÈ½ëI+R{nlj·¹»(r)&¢»´8zËVjØžjzë¶zZ–)†ÛÿüÁúzX¶Êƒù²ß > > >