[THIN] Re: many instances of csrss.exe
- From: "Mack, Rick" <RMack@xxxxxxxxxxxxxx>
- To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
- Date: Fri, 21 Feb 2003 14:31:58 +1100
Hi People,
Got called in to have a look at this one, the wonders of remote access;-).
There really were hundreds of instances of csrss.exe, from 500-2400 and
growing on servers in the farm that were hosting the main published app, a
desktop session.
Most instances of csrss.exe had no accompanying instances of winlogon.exe
One of the servers has very high sessionid numbers (thousands) despite the
fact the server had been running for less than 11 hours and had 30-40 users,
in at best the second shift since server reboot. Session Ids should have
been no more than 200.
When logins were disabled, the number of instances of csrss.exe started
falling.
Basically it takes quite a while for csrss.exe to die after an aborted login
attempt. So if the aborted login attempts are frequent enough, there will be
a net increase in the number of instances of csrss.exe on a server.
Still have to track down the offending machine, but I guess this rates as an
ICA denial of service attack.
One to watch out for.
Regards,
Rick
Ulrich Mack
rmack@xxxxxxxxxxxxxx
Volante Solutions
18 Heussler Terrace, Milton 4064
Queensland Australia.
tel +61 7 3246 7777
*********************************************************
This Week's Sponsor - Neoware
Now through March 31, 2003
Neoware is offering a Capio 500/Eon Proven 2100
for $299! Click the link below:
http://www.neoware.com/promocp4a/thinnetban.html
**********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
- » [THIN] Re: many instances of csrss.exe
