[THIN] Re: Known ICA vulnerabilities?

• From: thinlist@xxxxxxxxx
• To: thin@xxxxxxxxxxxxx
• Date: Mon, 27 Mar 2006 18:37:01 +0100

Ah, Try tcpview from sysinternals

On 3/24/06, Matthew Shrewsbury <MShrewsbury@xxxxxxxxxxxxxxx> wrote:
>
>  Good idea but only works on W2K3 or XP.
>
>
>
> *Matthew Shrewsbury, *MCSE+Internet MCSE 2000 CCA Server+
>
> Network Manager
>
> -----Original Message-----
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *thinlist@xxxxxxxxx
> *Sent:* Friday, March 24, 2006 5:56 AM
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: Known ICA vulnerabilities?
>
>
>
> use the -b flag of nestat to tell you the process assocated with those
> connections.
>
> On 3/23/06, *Matthew Shrewsbury* <MShrewsbury@xxxxxxxxxxxxxxx> wrote:
>
> Hmmm this seems a little odd to me. Seems to be connecting to itself? Is
> this normal? I'm seeing this on both Citrix servers.
>
> TCP    APP-02:1255            
> APP-02.COSCANHOMES.COM:9742<http://app-02.coscanhomes.com:9742/>
>   ESTABLISHED
> TCP    APP-02:1256            APP-02.COSCANHOMES.COM:1494
> <http://app-02.coscanhomes.com:1494/>  ESTABLISHED
> TCP    APP-02:1321            
> APP-02.COSCANHOMES.COM:9742<http://app-02.coscanhomes.com:9742/>
>   ESTABLISHED
> TCP    APP-02:1322            APP-02.COSCANHOMES.COM:1494
> <http://app-02.coscanhomes.com:1494/>  ESTABLISHED
> TCP    APP-02:1344            
> APP-02.COSCANHOMES.COM:9742<http://app-02.coscanhomes.com:9742/>
>   ESTABLISHED
> TCP    APP-02:1345            APP-02.COSCANHOMES.COM:1494
> <http://app-02.coscanhomes.com:1494/>  ESTABLISHED
> TCP    APP-02:1359            
> APP-02.COSCANHOMES.COM:9742<http://app-02.coscanhomes.com:9742/>
>   ESTABLISHED
> TCP    APP-02:1360            APP-02.COSCANHOMES.COM:1494
> <http://app-02.coscanhomes.com:1494/>  ESTABLISHED
> TCP    APP-02:1494            
> APP-02.COSCANHOMES.COM:1256<http://app-02.coscanhomes.com:1256/>
>   ESTABLISHED
> TCP    APP-02:1494            APP-02.COSCANHOMES.COM:1322
> <http://app-02.coscanhomes.com:1322/>  ESTABLISHED
> TCP    APP-02:1494            
> APP-02.COSCANHOMES.COM:1345<http://app-02.coscanhomes.com:1345/>
>   ESTABLISHED
> TCP    APP-02:1494            APP-02.COSCANHOMES.COM:1360
> <http://app-02.coscanhomes.com:1360/>  ESTABLISHED
> TCP    APP-02:1494            
> APP-02.COSCANHOMES.COM:1645<http://app-02.coscanhomes.com:1645/>
>   ESTABLISHED
> TCP    APP-02:1494            APP-02.COSCANHOMES.COM:1654
> <http://app-02.coscanhomes.com:1654/>  ESTABLISHED
> TCP    APP-02:1494            
> APP-02.COSCANHOMES.COM:1726<http://app-02.coscanhomes.com:1726/>
>   ESTABLISHED
> TCP    APP-02:1494            APP-02.COSCANHOMES.COM:1739
> <http://app-02.coscanhomes.com:1739/>  ESTABLISHED
> TCP    APP-02:1643            
> APP-02.COSCANHOMES.COM:9742<http://app-02.coscanhomes.com:9742/>
>   ESTABLISHED
> TCP    APP-02:1644            APP-02.COSCANHOMES.COM:9742
> <http://app-02.coscanhomes.com:9742/>  ESTABLISHED
> TCP    APP-02:1645            
> APP-02.COSCANHOMES.COM:1494<http://app-02.coscanhomes.com:1494/>
>   ESTABLISHED
> TCP    APP-02:1653            APP-02.COSCANHOMES.COM:9742
> <http://app-02.coscanhomes.com:9742/>  ESTABLISHED
> TCP    APP-02:1654            
> APP-02.COSCANHOMES.COM:1494<http://app-02.coscanhomes.com:1494/>
>   ESTABLISHED
> TCP    APP-02:1725            APP-02.COSCANHOMES.COM:9742
> <http://app-02.coscanhomes.com:9742/>  ESTABLISHED
> TCP    APP-02:1726            
> APP-02.COSCANHOMES.COM:1494<http://app-02.coscanhomes.com:1494/>
>   ESTABLISHED
> TCP    APP-02:1738            APP-02.COSCANHOMES.COM:9742
> <http://app-02.coscanhomes.com:9742/>  ESTABLISHED
> TCP    APP-02:1739            
> APP-02.COSCANHOMES.COM:1494<http://app-02.coscanhomes.com:1494/>
>   ESTABLISHED
> TCP    APP-02:9742            APP-02.COSCANHOMES.COM:1255
> <http://app-02.coscanhomes.com:1255/>  ESTABLISHED
> TCP    APP-02:9742            
> APP-02.COSCANHOMES.COM:1321<http://app-02.coscanhomes.com:1321/>
>   ESTABLISHED
> TCP    APP-02:9742            APP-02.COSCANHOMES.COM:1344
> <http://app-02.coscanhomes.com:1344/>  ESTABLISHED
> TCP    APP-02:9742            
> APP-02.COSCANHOMES.COM:1359<http://app-02.coscanhomes.com:1359/>
>   ESTABLISHED
> TCP    APP-02:9742            APP-02.COSCANHOMES.COM:1643
> <http://app-02.coscanhomes.com:1643/>  ESTABLISHED
> TCP    APP-02:9742            
> APP-02.COSCANHOMES.COM:1644<http://app-02.coscanhomes.com:1644/>
>   ESTABLISHED
> TCP    APP-02:9742            APP-02.COSCANHOMES.COM:1653
> <http://app-02.coscanhomes.com:1653/>  ESTABLISHED
> TCP    APP-02:9742            
> APP-02.COSCANHOMES.COM:1725<http://app-02.coscanhomes.com:1725/>
>   ESTABLISHED
> TCP    APP-02:9742            APP-02.COSCANHOMES.COM:1738
> <http://app-02.coscanhomes.com:1738/>  ESTABLISHED
>
> Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA Server+
> Network Manager
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx [mailto: thin-bounce@xxxxxxxxxxxxx] On
> Behalf Of Steve Parr
> Sent: Thursday, March 23, 2006 2:25 PM
> To: Thinlist
> Subject: [THIN] Re: Known ICA vulnerabilities?
>
> Matthew meant to say run 'NETSTAT' from the command line.
>
>
> -----Original Message-----
> From: Steve Parr <sparr@xxxxxxxxxxxxx>
> Date: Thu, 23 Mar 2006 14:41:00
> To:"'thin@xxxxxxxxxxxxx '" <thin@xxxxxxxxxxxxx>
> Subject: [THIN] Re: Known ICA vulnerabilities?
>
> Run an online scan like Trend Micro - maybe your Virus program is not
> working properly and your infected.
>
> Also do some spyware scans.
>
> If you run NETSAT from command line can see if servers are trying to
> connect to somewhere they should'nt be or if something is coming inbound
> that should not be.
>
> When your servers are runing fine would be good time to run the scans.
>
>
>
> -----Original Message-----
> From: Matthew Shrewsbury [mailto:MShrewsbury@xxxxxxxxxxxxxxx]
> Sent: Thursday, March 23, 2006 2:22 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Known ICA vulnerabilities?
>
>
>
> That's the problem, when the system starts going slow I can't see what
> processes are running. I managed to get Task Manager up one time but all I
> could see what the CPU and it pretty much froze when I tried to look at the
> tasks.
>
>
>
>
> Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA Server+
>
> Network Manager
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx [mailto: thin-bounce@xxxxxxxxxxxxx] On
> Behalf Of Steve Parr
> Sent: Thursday, March 23, 2006 2:17 PM
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Re: Known ICA vulnerabilities?
>
>
>
> Do a packet sniff on the LAN to see if anything out of the ordinary.
>
> What processes can you see running on the Citrix boxes when it slows down?
>
>
>
> -----Original Message-----
> From: Matthew Shrewsbury [mailto: MShrewsbury@xxxxxxxxxxxxxxx]
> Sent: Thursday, March 23, 2006 1:59 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Known ICA vulnerabilities?
>
>
>
> He worked mostly on PCs and LAN and had no access to routers. I found that
> when the problem occurs that unplugging the server from the network doesn't
> make any difference. It still grinds to a hault with no CPU or disk
> activity.
>
>
>
> Thanks for the into!
>
>
> Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA Server+
>
> Network Manager
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
> Behalf Of Steve Parr
> Sent: Thursday, March 23, 2006 1:59 PM
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Re: Known ICA vulnerabilities?
>
>
>
> What did he work on?
>
> Maybe switches\routing? Perhaps he has created problems by rearranging the
> uplinks or maybe a conflict with 10/100 vs Gb ports\switches\nics.
>
> Maybe ACLs created on routers or some other fudging. Had that happen
> recently at a site where jr. tech created loop by incorrectly placed uplink
> and same thing where the Citrix servers at that site where up and down till
> someone discovered the mistake.
>
>
>
> -----Original Message-----
> From: Matthew Shrewsbury [mailto:MShrewsbury@xxxxxxxxxxxxxxx]
> Sent: Thursday, March 23, 2006 1:36 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Known ICA vulnerabilities?
>
>
>
> We had a Network Engineer leave (not on good terms) and since then I've
> been experiencing problems with our Citrix servers locking up. Maybe I'm
> just paranoid but the problem started happening right after he left and
> generally occurs between 10am and noon (never had problems before this). It
> doesn't happen everyday but has occurred on both of our servers (win2K
> SP4/PS4). The server seems to just go slow with no disk or CPU utilization.
>
>
>
> Are there any known ICA vulnerabilities? Both of these servers have port
> 1494 open facing the Internet. Any suggestions would be most helpful as I
> can't get on the server to diagnose when the problem occurs and all logs
> show things are normal.
>
>
>
> Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA Server+
>
> Network Manager
>
>
> Š­È½ëI+R{nlj·¹»(r)&¢»´8zË­VjØžjzë¶zZ–)†ÛÿüÁúzX¶Êƒù²ß
>
>
>

• References:
  • [THIN] Re: Known ICA vulnerabilities?
    • From: Matthew Shrewsbury

Other related posts:

• » [THIN] Known ICA vulnerabilities?
• » [THIN] Re: Known ICA vulnerabilities?
• » [THIN] Re: Known ICA vulnerabilities?
• » [THIN] Re: Known ICA vulnerabilities?
• » [THIN] Re: Known ICA vulnerabilities?
• » [THIN] Re: Known ICA vulnerabilities?
• » [THIN] Re: Known ICA vulnerabilities?
• » [THIN] Re: Known ICA vulnerabilities?
• » [THIN] Re: Known ICA vulnerabilities?
• » [THIN] Re: Known ICA vulnerabilities?
• » [THIN] Re: Known ICA vulnerabilities?
• » [THIN] Re: Known ICA vulnerabilities?

1. Home
2. thin
3. Archive
4. 03-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---