[THIN] Re: Known ICA vulnerabilities?
- From: "Matthew Shrewsbury" <MShrewsbury@xxxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Thu, 23 Mar 2006 14:56:40 -0500
Hmmm this seems a little odd to me. Seems to be connecting to itself? Is this
normal? I'm seeing this on both Citrix servers.
TCP APP-02:1255 APP-02.COSCANHOMES.COM:9742 ESTABLISHED
TCP APP-02:1256 APP-02.COSCANHOMES.COM:1494 ESTABLISHED
TCP APP-02:1321 APP-02.COSCANHOMES.COM:9742 ESTABLISHED
TCP APP-02:1322 APP-02.COSCANHOMES.COM:1494 ESTABLISHED
TCP APP-02:1344 APP-02.COSCANHOMES.COM:9742 ESTABLISHED
TCP APP-02:1345 APP-02.COSCANHOMES.COM:1494 ESTABLISHED
TCP APP-02:1359 APP-02.COSCANHOMES.COM:9742 ESTABLISHED
TCP APP-02:1360 APP-02.COSCANHOMES.COM:1494 ESTABLISHED
TCP APP-02:1494 APP-02.COSCANHOMES.COM:1256 ESTABLISHED
TCP APP-02:1494 APP-02.COSCANHOMES.COM:1322 ESTABLISHED
TCP APP-02:1494 APP-02.COSCANHOMES.COM:1345 ESTABLISHED
TCP APP-02:1494 APP-02.COSCANHOMES.COM:1360 ESTABLISHED
TCP APP-02:1494 APP-02.COSCANHOMES.COM:1645 ESTABLISHED
TCP APP-02:1494 APP-02.COSCANHOMES.COM:1654 ESTABLISHED
TCP APP-02:1494 APP-02.COSCANHOMES.COM:1726 ESTABLISHED
TCP APP-02:1494 APP-02.COSCANHOMES.COM:1739 ESTABLISHED
TCP APP-02:1643 APP-02.COSCANHOMES.COM:9742 ESTABLISHED
TCP APP-02:1644 APP-02.COSCANHOMES.COM:9742 ESTABLISHED
TCP APP-02:1645 APP-02.COSCANHOMES.COM:1494 ESTABLISHED
TCP APP-02:1653 APP-02.COSCANHOMES.COM:9742 ESTABLISHED
TCP APP-02:1654 APP-02.COSCANHOMES.COM:1494 ESTABLISHED
TCP APP-02:1725 APP-02.COSCANHOMES.COM:9742 ESTABLISHED
TCP APP-02:1726 APP-02.COSCANHOMES.COM:1494 ESTABLISHED
TCP APP-02:1738 APP-02.COSCANHOMES.COM:9742 ESTABLISHED
TCP APP-02:1739 APP-02.COSCANHOMES.COM:1494 ESTABLISHED
TCP APP-02:9742 APP-02.COSCANHOMES.COM:1255 ESTABLISHED
TCP APP-02:9742 APP-02.COSCANHOMES.COM:1321 ESTABLISHED
TCP APP-02:9742 APP-02.COSCANHOMES.COM:1344 ESTABLISHED
TCP APP-02:9742 APP-02.COSCANHOMES.COM:1359 ESTABLISHED
TCP APP-02:9742 APP-02.COSCANHOMES.COM:1643 ESTABLISHED
TCP APP-02:9742 APP-02.COSCANHOMES.COM:1644 ESTABLISHED
TCP APP-02:9742 APP-02.COSCANHOMES.COM:1653 ESTABLISHED
TCP APP-02:9742 APP-02.COSCANHOMES.COM:1725 ESTABLISHED
TCP APP-02:9742 APP-02.COSCANHOMES.COM:1738 ESTABLISHED
Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA Server+
Network Manager
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of
Steve Parr
Sent: Thursday, March 23, 2006 2:25 PM
To: Thinlist
Subject: [THIN] Re: Known ICA vulnerabilities?
Matthew meant to say run 'NETSTAT' from the command line.
-----Original Message-----
From: Steve Parr <sparr@xxxxxxxxxxxxx>
Date: Thu, 23 Mar 2006 14:41:00
To:"'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
Subject: [THIN] Re: Known ICA vulnerabilities?
Run an online scan like Trend Micro - maybe your Virus program is not working
properly and your infected.
Also do some spyware scans.
If you run NETSAT from command line can see if servers are trying to connect to
somewhere they should'nt be or if something is coming inbound that should not
be.
When your servers are runing fine would be good time to run the scans.
Â
-----Original Message-----
From: Matthew Shrewsbury [mailto:MShrewsbury@xxxxxxxxxxxxxxx]
Sent: Thursday, March 23, 2006 2:22 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Known ICA vulnerabilities?
Â
That's the problem, when the system starts going slow I can't see what
processes are running. I managed to get Task Manager up one time but all I
could see what the CPU and it pretty much froze when I tried to look at the
tasks.
Â
Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA Server+
Network Manager
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Steve Parr
Sent: Thursday, March 23, 2006 2:17 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Known ICA vulnerabilities?
Â
Do a packet sniff on the LAN to see if anything out of the ordinary.
What processes can you see running on the Citrix boxes when it slows down?
Â
-----Original Message-----
From: Matthew Shrewsbury [mailto:MShrewsbury@xxxxxxxxxxxxxxx]
Sent: Thursday, March 23, 2006 1:59 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Known ICA vulnerabilities?
Â
He worked mostly on PCs and LAN and had no access to routers. I found that when
the problem occurs that unplugging the server from the network doesn't make any
difference. It still grinds to a hault with no CPU or disk activity.
Â
Thanks for the into!
Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA Server+
Network Manager
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Steve Parr
Sent: Thursday, March 23, 2006 1:59 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Known ICA vulnerabilities?
Â
What did he work on?
Maybe switches\routing? Perhaps he has created problems by rearranging the
uplinks or maybe a conflict with 10/100 vs Gb ports\switches\nics.
Maybe ACLs created on routers or some other fudging. Had that happen recently
at a site where jr. tech created loop by incorrectly placed uplink and same
thing where the Citrix servers at that site where up and down till someone
discovered the mistake.
Â
-----Original Message-----
From: Matthew Shrewsbury [mailto:MShrewsbury@xxxxxxxxxxxxxxx]
Sent: Thursday, March 23, 2006 1:36 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Known ICA vulnerabilities?
Â
We had a Network Engineer leave (not on good terms) and since then I've been
experiencing problems with our Citrix servers locking up. Maybe I'm just
paranoid but the problem started happening right after he left and generally
occurs between 10am and noon (never had problems before this). It doesn't
happen everyday but has occurred on both of our servers (win2K SP4/PS4). The
server seems to just go slow with no disk or CPU utilization.
Â
Are there any known ICA vulnerabilities? Both of these servers have port 1494
open facing the Internet. Any suggestions would be most helpful as I can't get
on the server to diagnose when the problem occurs and all logs show things are
normal.
Â
Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA Server+
Network Manager
Â
�ÅÂÃÂÃI+R{nÃâÂÂÂÂ&ÂÂÂ8zÃÂVjÃÅjzÃÂ�zZâ)âÃÃÃÃÃzXÂÃÆÃÂÃ
Other related posts:
