Unknown Security Support Provider

  • Thread starter Thread starter Jeff Lyons
  • Start date Start date
J

Jeff Lyons

W2K server.
We have an ADSL link to the server which is used for
internet purposes. Recently we have not been able to
access web pages, although the link is clearly up. The
modem's LAN light goes out. Status of the line showed lots
of traffic going out and not much coming in. I managed to
use Network monitor to capture the traffic. We're spewing
out SSP traffic (2000+ frames in 2 seconds). SSP
= "Unknown Security Support Provider". This computer has
2 NICs and uses Internet Connection Sharing. These SSP
packets go out to both the local LAN and to the ADSL.
They continue to go out even if I unplug the network
cable. I have run spyware checkers and virus scans which
come out clean. I reboot the computer and it works for a
while, then starts sending these SSP packes and no longer
connect to the internet. Rebooting fixes the problem, but
only for a while. This happens several times a day. Any
idea what is wrong and how to fix it? I have seen this
problem posted by others, but I have never seen anybody
post a solution. I know I am not the only one with this
problem, but is there anybody who knows how to fix it?
 
In support we have seen many cases were Slammer was the root problem, in the
traces we would see the Unknown Security Support Provider in the trace and
the frames would show a specific pattern.

If you are running Veritas backup software, some versions shipped with the
MSDE SQL type database which slammer would effect. Just an idea, but I would
look into this direction (especially if you are running Veritas). If you
aren't then post a trace frame so we can look at it. :)

Here are some articles.
813440 Virus Alert About the W32.Slammer Worm
--

Brian Oakes

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit.
 
This may indeed have been W32.Slammer. I was running SQL 2000 on my
Windows 2000 server. I had all the latest service packs for Win2k and
had run a virus checker and a spyware checker. Nonthing was reported.
Even though I had the latest Win2k sp's, I didn't have sp's for SQL.
I downloaded and installed SQL 2000 service pack 3 and the problem
went away. My only guess is that the virus scanner didn't detect the
Sql 2000 worm.

I had another machine that was running Windows 2000 but Sql 7. It did
the same thing, and I thought that the W32.Slammer only hit SQL2k.
The other machine was taken off line, so I haven't had a chance to see
if a Sql 7 service pack or upgrading to SQL 2k with the service pack
will fix it.

I searched Microsoft's web site for "Unknown Security Support
Provider" and found nothing. Just a suggestion to anybody out there
working for MS or Symantic, it would be great if an article were on
your web site with those key words if that is indeed a symptom of the
worm. Then again, perhaps it is there and I just missed it somehow.

windowsupdate.microsoft.com seems to keep Windows current, any chance
it could be changed to tell you about SQL service packs as well?

Thanks,
Jeff
 
I know what you mean Jeff, but rest assured we are working on stuff to
greatly improve this process. :) Make sure you subscribe to all the security
bulletin via email. :)

--

Brian Oakes

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit.
 
Back
Top