none
Lack of firewall (One NIC) and multiple connections on TCP port 6515 RRS feed

  • Question

  • Sorry but I am pulling my hair out with an inherited SBS 2003 server. It has McAfee installed which has not detected anything, and the users started reporting that email was getting bounced. I checked up and it seems the IP address has been blacklisted. I contacted our ISP/Support and they said there was no unusual activity bar 1000's of connections on port 6515 and suggested I configure the firewall to reject this...

    I tried to start up windows firewall and got the error "Windows firewall cannot run because another program or service is running
    that might use the network address translation component" (Ipnat.sys)", which seems to be because I only have one NIC, then I then went through the wizard and reconfigured the network to no avail...  Anyway, even if the firewall was on, it only rejects inbound connections right?

    So as a last ditch attempt I went into the NIC properties and enabled TCP filtering following this guide:

    http://www.bodhost.com/web-hosting/enable-tcpip-filtering-on-windows-2003-server/

    In addition I enabled 4125 for RWW and rebooted... but couldn't connect for some reason. Luckily I had TeamViewer on a client workstation and logged in via RDP.

    But what has me stumped is this traffic on port 6515? I assume there must be some virus or malware, but for the life of me I cannot find anything obvious searching online. I have asked the ISP/Support if they can enable a hardware firewall, and just open the normal ports, but as of yet they have not responded..

    Any help would be much appreciated.

    Thanks,

    Mark

     


    • Edited by marky9074 Wednesday, January 4, 2012 5:19 PM
    Wednesday, January 4, 2012 5:17 PM

Answers

  • Update from McAfee:

    McAfee has developed a patch that will instruct rumor to not respond to most incoming requests on port 6515. The patch will be posted through updates over a week time. The updated version will show 5.2.3 patch 4 Please do revert back for additional information.

     


    Tuesday, January 17, 2012 2:52 PM

All replies

  • Are you saying you have no business class firewall in front of the SBS that you can configure for egress filtering? Not sure what you mean about having your ISP enable a hardware firewall since that should be on your premises with you configuring it.

    Steve

    <marky9074> wrote in message news:e0694c2f-2de9-4eca-907f-3a5df3351f2f@communitybridge.codeplex.com...

    Sorry but I am pulling my hair out with an inherited SBS 2003 server. It has McAfee installed which has not detected anything, and the users started reporting that email was getting bounced. I checked up and it seems the IP address has been blacklisted. I contacted our ISP/Support and they said there was no unusual activity bar 1000's of connections on port 6515 and suggested I configure the firewall to reject this...

    I tried to start up windows firewall and got the error "Windows firewall cannot run because another program or service is running
    that might use the network address translation component" (Ipnat.sys)", which seems to be because I only have one NIC, then I then went through the wizard and reconfigured the network to bo avail... Anyway, even if the firewall was on, it only rejects inbound connections right?

    So as a last ditch attempt I went into the NIC properties and enabled TCP filtering following this guide:

    http://www.bodhost.com/web-hosting/enable-tcpip-filtering-on-windows-2003-server/

    In addition I enabled 4125 for RWW and rebooted... but couldnt connect for some reason. Luckily I had TeamViewer on a client workstation and logged in via RDP.

    But what has me stumped is this traffic on port 6515? I assume that there must be a virus or malware, but for the life of me I cannot find anything obvious only. I have asked the ISP/Support if they can enable a hardware firewall, and just open the normal ports, but as of yet they have not responded..

    Any help would be much appreciated.

    Thanks,

    Mark

    Wednesday, January 4, 2012 5:53 PM
  • Yes, that's more or less correct at the moment...  on our network we have no firewall. Previously we had our own modem/router with firewall at our old premises, then moved to a multi-unit premises and hooked into their IT infrastructure.. I have asked them today to block all ports bar the normal ones, but as of yet they have not implemented this (what I thought was a simple) request.. and I was looking at what I could do on the server instead...

    To be honest what concerns me the most at the moment, is what is causing this traffic on port 6515..

     

    Wednesday, January 4, 2012 6:04 PM
  • I think with only 1 NIC so you can't use even the basic SBS 2003 firewall and no other firewall of your own you are really skating on thin ice especially now that your IP has already been blacklisted. Good luck.

    Steve

    <marky9074> wrote in message news:3f0a5558-946f-415d-aa1e-fd0b100bda00@communitybridge.codeplex.com...

    Yes, that's more or less correct at the moment... on our network we have no firewall. Previously we had our own modem/router with firewall at our old premises, then moved to a multi-unit premises and hooked into their IT infrastructure.. I have asked them today to block all ports bar the normal ones, but as of yet they have not implemented this (what I thought was a simple) request.. and I was looking at what I could do on the server instead...

    To be honest what concerns me the most at the moment, is what is causing this traffic on port 6515..

    Wednesday, January 4, 2012 6:18 PM
  • Thanks. Naive I guess, but I thought we would have been behind a hardware firewall..

    I just found this regarding McAfee and port 6515 which may be related, though the article is very old...

    http://www.securitytracker.com/id/1001980

    Wednesday, January 4, 2012 6:36 PM
  • Hi Marky9074

    I had the exact same problem on SBS2008 and after exhausting checks with every antivirus out these (we have McAfee installed by default) didn't find anything, realised that the Spambot or Virus or whatever is using MyAgtSvc.exe, the McAfee update agent, to connect out/in - presumably it uses port 6515 to connect. Stop this process and the 1000's of connection sessions stop. Run a Mcafee update/reboot the server and they start again... My interim solution was to uninstall Mcafee and use a different AV, which has worked, but doesn't really prvoide a long term solution...

    Thursday, January 5, 2012 9:32 AM
  • Thanks for the reply, it's much appreciated.

    I just sent a support request to McAfee, but I'm right on the verge of pulling the trigger and installing Eset Smart Security instead....  :(

    Thursday, January 5, 2012 1:59 PM
  • I'm having exactly the same problem on our Windows 2008 server. I also found it because our IP had been blacklisted, also found massive incoming traffic on port 6515, but also found massive outgoing traffic through our router to numerous ip/ports, including to ports 25 (ie we were sending spam!).

    Wa have received a traffic data limit warning from our ISP (100GB in a few days!), who indicated that it started 31/12/11 and peaked over a couple of days, but is now going back to normal (due to my detective work so far).

    What I've learnt so far: the RumorServer service (Mcafee Peer Distribution Service) is at fault/infected (I haven't found any dodgy files or registry entries to date, mcafee doesn't find any, I have also run kaspersky TDSSKiller - no root kit). Disable the service and it all stops (It may however restart on automatic upgrade). Disabling the Windows Firewall incoming rules for Managed Services Agent, and adding incoming/outgoing rules to block program MyAgtSvc.exe on service RumorServer on all ports/protocols stopped the 6515 traffic getting in, which stopped the outgoing traffic (the outgoing rule did not work on it's own, the infection must have own tcp stack or something).

    The incoming 6515 calls must be generating the outgoing connections, as the incoming firewall rule seems to stop both types of activity.

    We are still getting many incoming 6515 connection requests but the number is dropping slowly. Outgoing spam/DOS etc connections have stopped.

    I have also filed a support request with mcafee. Their reply was to take server offline for hours to run a safe mode scan using beta dat, and to attach a tcpview file - I haven't yet done this as taking server offline causes problems, and I can't get into the service portal with the grant no I was given, BT calls to their 'Free' 00800 number will cost a bomb (BT couldn't even tell me how much!) and I can't email them cause they have blacklisted me!

    I also need a permanent solution!

    Friday, January 6, 2012 7:22 PM
  • McAfee support asked me to enable myAgtSvc.exe and run their 'Mer' utility, this spits out a tarball which gets uploaded to their web site after you enter your support request ID.

    After a couple of days (I thought this was pretty poor IMO), they instructed me how to uninstall and re-install using their utility on the support site (I had done this the night before, but by just uninstalling manually...), but as expected the clean re-installed endpoint SaaS still has hundreds of connections on port 6515 to external ports 80 & 25.

    So I have killed the two running instances of myAgtSrv.exe again, and am awaiting a responce from McAfee. If I don't get anywhere by Tuesday I'll be binning this for Eset. The funny thing is every AV I have run has not detected a single thing.... not even a cookie or anything. Even Spybot S&D come up with nothing...



    • Edited by marky9074 Sunday, January 8, 2012 9:04 AM
    Sunday, January 8, 2012 9:02 AM
  • My service request is 3-1902683381 if anybody else is contacting McAfee
    Sunday, January 8, 2012 9:06 AM
  • My service request is 3-1902259056 (no joy from McAfee yet).

    Just spotted http://mrhinkydink.blogspot.com/2012/01/mcafee-relay-server-523-port-6515.html where 1900+ McAfee open proxies have been found on ports 6515!!

    Following this, I searched for our IP online (in the search engine cached pages from a few days ago) and was horrified to find it listed on dozens of sites as an open proxy on McAfee's port 6515! No wonder all sorts of junk/spam was being passed through. This starts to look like a major disaster for McAfee, but what about us poor little guys?

    Monday, January 9, 2012 9:21 PM
  • Oops yeah should have posted this confirming activity:

    http://isc.sans.edu/port.html?port=6515

    Tuesday, January 10, 2012 9:58 AM
  • Update from McAfee:

    McAfee has developed a patch that will instruct rumor to not respond to most incoming requests on port 6515. The patch will be posted through updates over a week time. The updated version will show 5.2.3 patch 4 Please do revert back for additional information.

     


    Tuesday, January 17, 2012 2:52 PM
  • Great News! While we are waiting for a fix, we have posted instructions on the Kaamar Blog to help other McAfee users prevent damage to their systems and their online reputation. We would like affected users to contact us, so we may later lobby McAfee to help fix the damage this has caused.
    This story has also been the subject of an excellent article on CNET: McAfee software lets scammers hijack PCs to send spam
    Wednesday, January 18, 2012 3:59 PM
  • I was still seeing CLOSE_WAIT connections on 6515 after this patch update :/

    I've put the whole network behind a hardware firewall now, so am unlikely to see any more issues, but people should still be alert as I dont think this issue is 100% resolved...

    Wednesday, February 8, 2012 12:18 PM
  • I sent some captured data from wireshark to McAfee yesterday. I could see some nasty stuff still in some of the packets from 6515...

    Also, I have had some serious side effects since the patch update. My SBS server recently started shutting itself down every hour due to 'detecting multiple SBS servers on the domain' when I only have one SBS server. In addition my backups were failing due to

    The 'Active Directory' returned 'The remote system refused the network connection.
    ' from a call to 'BackupPrepare()' additional data '\\SBS-SERVER'

    So I have ended up disabling myAgtSvc.exe again....

    Friday, February 10, 2012 5:10 PM