iis security: We are running a w2k webserver, everytime the server is rebooted mstask.exe
runs on port 80 which will not allow the website to restart. I have to us a
tcp viewer and end the process of mstask.exe. I can't see what is calling
mstask on start up to run on port 80. Any suggestions?

On Tue, 29 Jun 2004 14:19:00 -0500, "Brian"
[quoted text, click to view]

Brian,

The real mstask.exe is the Windows task scheduler process and would
not be listening on port 80. This process running on your machine
sounds very suspect. In addition to ken's suggestions try running
Sysinternals Autoruns to determine where this rogue process is being
called from at startup.

http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml


Regards,

Paul Lynch

Sounds like your machine has been compromised. Consider restoring from known
good backups.

Additionally:
a) run anti-virus software
b) run anti-spyware software (such as AdAware - www.lavasoftusa.com)
c) check server for unpatched vulnerbailities:
http://www.microsoft.com/technet/security/tools/mbsahome.mspx

THe process itself could be started from a number of locations (Start
Menu -> Startup group), registry (Run keys), and so forth. Another process
might restore it even if it's removed.

Personally I'd be quiet worried about the situation...

Cheers
Ken


[quoted text, click to view]
: We are running a w2k webserver, everytime the server is rebooted
mstask.exe
: runs on port 80 which will not allow the website to restart. I have to us
a
: tcp viewer and end the process of mstask.exe. I can't see what is calling
: mstask on start up to run on port 80. Any suggestions?
:
: