Services.exe on NT Server

[Quidam]

The SERVICES.EXE process on my NT4 Server (SP6) is consuming 20-40% of the CPU time. This problem started recently. The only notable issues with the server over the last several weeks have been a few unsuccessful attempts to update IE from 4.0 to 5.01. When 5.01 is installed, it will not execute. I uninstall and revert back to 4.0. This has happened twice.

Any thought or suggestions for investigation?

Thanks

[Eraserhead]

Slowdowns on services.exe have been occasionally due to viruses / trojans - run your antivirus program to check.

It could also be due to a denial of service attack - check your inbound connections and see whether someone is attempting a DoS attack (such as the ping of death).

If your server checks out for unwanted intruders, try using the sc command line utility to query the services your server is running. Try stopping services one by one to see which one is using up your CPU time

head on over to here for a free online scan

http://housecall.trendmicro.com/

[Quidam]

Thanks for the tips.

We've been getting hit a lot with the Sobig.f virus as e-mail attachments. Our AV appears to be catching and deleting them, but the CPU may be working harder than normal. A full disk scan ran Sunday night and no infected files were found.

Eraserhead, can you describe how to check for a DoS attack? I will try eliminating services to isolate the problem.

Thanks

Quidam do you have any firewall protection running?

[Quidam]

We have a CISCO 2602 router. It was set up by an outside consultant, so I can't tell you much about its configuration. I am fairly confident that it is secure.

We use Lotus Domino for e-mail and it is protected by McAfee Groupshield.

[Eraserhead]

I'm not sure about network monitoring on NT Server. On Win2K Server there's an application in Administrative Tools called Network Monitor (I think :-)

If you can't find a network monitoring tool in NT Server, try using a third party monitoring tool. Microsoft recommends a few here:

http://www.microsoft.com/ntserver/pa...v/NUtility.asp

I also noticed at the bottom of that page is a Service Monitor tool, which might be handy for looking at what services you're running.

My main concern for you (and I suspect it's on GroundZero's mind) is that the recent hackers' toys such as the Blaster worm use DoS attacks on RPC (Remote Procedure Call) ports, which is a service that's usually running by default on NT, 2K and XP machines.
Make sure you go to Microsoft and download the latest security patches for RPC vulnerabilities - in fact, make sure you have all the latest security patches installed and the latest service pack updates (although you might want to test these out on a mirrored or redundant / dummy server if you have one before installing them on your main one in case there's any problems)

[Quidam]

I agree on the security patches, but that's part of the problem. IE4.0 is no longer supported, so I can't download patches until I can get IE5.0 or higher working.

I shut down many services, but did not yet find the one that is running amok. I didn't try the RPC services yet.

I'll update if I have any meaningful info.