TCP Connection reset too fast

[Sloup Michal]

Hello,

since yesterday (4.5.2004) we are applying security patch
KB835732 (W32.Sasser.Worm hole) on all our client PCs
(Windows 2000 Professional SP2) and server (Windows 2000
Server SP2). This is the latest change in our environment.

Today some client-server applications (oracle based, SAP,
etc...) are disconnected from the server very often. We
captured network communication between client and server
and found out that the client requests connection, sends
it 3 times very quickly (50ms one after another) and then
resets the connection.

We checked TCP/IP parameters in Windows registry and all
is set to default values.

Can anyone advice where to look or what to trace,
etc...??!!

Any help is really appreciated.

Michal

 

[Jeff Qiu [MSFT]]

Hi Sloup,

Thanks for posting!

My name is Jeff and I understand your issue to be:
After applied the MS04-011, some of your client systems get disconnected
from server in some third party applications like Oracle and SAP.

Based on your description, I believe a deeper netmon trace/live debug is
needed to analyze this issue. To get this issue addressed in a most
efficient way, please contact our Microsoft PSS team together with the
support team of these third party applications like Oracle to further debug
it.

As a temporarily workaround, you may close these ports that the Sasser
virus may attack from the gateway of your system to the Internet and
uninstall this update on these client/server machines that had this issue.

To uninstall that update, please follow the steps below:
- Boot to the Recovery Console
- Go to %windir%\$NtUninstallKB835732$\spuninst
- Find spuninst.txt, then rename it to spuninst.bat or spuninst.cmd, and
run "Batch spuninst.bat > 835732.log".

Note: Or directly run "Batch spuninst.txt uninst835732.log" where
'uninst835732.log' is just for logging a file to check if the uninstall
process goes successfully.

For more information regarding that virus, please check it here:
http://www.microsoft.com/security/incident/sasser.asp

Please feel free to let me know if you have any further concerns or
questions regarding the issue.

Best Regards,

Jeff Qiu
Microsoft Online Partner Support
MCSE 2000, MCDBA, MCSA
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------

 

[Sloup Michal]

Hi Jeff,

thanks for your answer. You understand well.

I found some information about TCPIP vulnerability that is
quite similar to our case. I searched Microsoft web, but
didn't find anything about it.

Please could you look on following links and tell me if
Microsoft has dealt with this issue (or it is not
affected)?

http://www.uniras.gov.uk/vuls/2004/236929/index.htm
http://www.checkpoint.com/techsupport/alerts/tcp_dos.html


Thank you very much in advance for your efforts.

Michal Sloup

 

[Jeff Qiu [MSFT]]

Hi Sloup,

Thank you for your update.

These two links refer to a TCP vulnerability affects implementations of the
Transmission Control Protocol (TCP) that comply with the Internet
Engineering Task Force's (IETF's) Requests For Comments (RFCs) for TCP,
including RFC 793, the original specification, and RFC 1323, TCP Extensions
for High Performance.

Currently, I am not sure if this issue is related to your disconnection
under Windows implementations. Most system affected seems hardware
manufacturer that is creating routers. Microsoft had no information
regarding this TCP vulnerability now.

I will give you an update once I get any further information.

For now, I suggest you'd better submit an online case to debug the original
issue.

Have a nice day!

Best Regards,

Jeff Qiu
Microsoft Online Partner Support
MCSE 2000, MCDBA, MCSA
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------