0

I have Windows 2000 server that is being decommissioned and someone is sure that it's running as a reverse proxy in a DMZ redirecting internet traffic back into the corporate network.

Problem is that I cannot see anything running on this server that might indicate such a role. Is it possible to forward traffic on a particular port to another server via the network card? Where would you start looking?

gimpy
  • 121
  • 3

4 Answers4

3

While not the same as a web server, reverse-proxies are related, and web server apps often have that capability.

If none of these are running, it's reasonably safe to assume that it's not a reverse proxy: IIS, Apache, NGINX, Lighttpd, Cherokee, Varnish, HAProxy. (This isn't an exhaustive list; just the most common ones.)

You should run an extensive nmap scan against and check it's netstat.

When all else fails, turn it off and see what breaks.

gWaldo
  • 11,957
  • 8
  • 42
  • 69
  • I've checked for all the usual suspects with no success. The server was turned off and another app broke, that's why we think there is something going on on this box. I have only remote desktop and I cannot get any software onto the server to check network traffic because it's in a remote datacentre which I have no access to. – gimpy Jul 22 '12 at 09:25
  • Check the config and/or error logs of the app that broke for references to your enigma-machine; that should pretty well nail down what it's doing. – gWaldo Jul 23 '12 at 01:25
0

I'd start with wireshark and [briefly] analyze the traffic received at the server. (You'll need an old version, 1.2.7 should work on Win 2k.) Based on the traffic it's actually receiving, you can surmise whether it's actually being used as a reverse-proxy, whether or not someone configured it as one ten years ago.

And similar to what gWaldo suggested, if all else fails, unplug the network cable and see what breaks. Better than a reboot, and I don't think I'd want to reboot a Win2k server any more than I'd want to reboot a mainframe. Maybe less. At least with the mainframe, I could be fairly confident it would come back up... not so much with a decade+ old Windows 2k box.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • The comments about rebooting a 2K Server are absurd. There is no reason whatsoever to expect it won't reboot properly. In fact if it has been kept patched it will have gone through a great many reboots already. – John Gardeniers Jul 20 '12 at 13:44
  • 2
    @John Gardeniers So, you'd really suggest rebooting a decade-old box running an unsupported OS (for which updates are no longer offered) to "see what breaks," rather than disconnecting the network cable? ***That's*** absurd. Especially given Windows 2000's well deserved reputation for being less than rock-solid. – HopelessN00b Jul 20 '12 at 13:51
  • I didn't suggest a reboot was necessary. I merely pointed out that your comments about such a reboot were absurd, whether or not a reboot is required or desirable is quite irrelevant. OTOH, if a reboot was required I'd do so without hesitation. I think your moniker says it all. – John Gardeniers Jul 20 '12 at 15:53
  • @John Gardeniers That's nice and all, but as we're supposed to rely on specific facts and references around these parts, maybe you could use specific facts and references to explain to us all what's absurd (and downvote-worthy) about my Win2k remarks. Or is it your custom to assume that servers running a 12 year old Windows-OS are well maintained and on hardware in good condition, maybe? My comment had as much to do with the condition of machines that *still* run Windows 2000 as it does about the OS itself and the decade+ worth of Windows-rot and/or neglect it's likely suffering. – HopelessN00b Jul 20 '12 at 16:15
  • 1
    There are a lot of assumptions going on here, but honestly, I've never rebooted a Win2k server and feared for it not coming back to life. I have never known it to be "less than rock-solid"; I'm more annoyed when I find that it's missing parts of the scripting interfaces that I'd come to enjoy on Win2k3. – gWaldo Jul 20 '12 at 16:32
  • Servers running ancient operating systems are more likely to be ancient themselves and on the brink of failure, and I'm sure we've all had systems fail to come back up after a reboot, regardless of what operating system they're running. @John, it hasn't been getting patched and rebooted from the patching if it's running win2k, since there hasn't been a single patch released for that OS in over 2 years. Unplugging the network cable instead of rebooting seems like a perfectly reasonable recommendation to me. – Shane Madden Jul 21 '12 at 22:26
  • It looks like it's been patched regularly and it was turned off recently. I can happily report that it came back to life without any fuss. – gimpy Jul 22 '12 at 09:24
  • I have no way (currently) of loading other software onto the server so checking the network traffic is not possible. – gimpy Jul 22 '12 at 09:35
  • I'd be weary of _shutting it down_, i.e. having the disks spin right down for any length of time, but a reboot should be fine. – gravyface Jul 22 '12 at 11:37
  • @Shane, I never suggested, or even hinted, that unplugging the network cable wasn't a better option. – John Gardeniers Jul 22 '12 at 13:20
  • @JohnGardeniers Fair enough! – Shane Madden Jul 22 '12 at 17:24
0

If you don't trust the host, you could always put a hub (if you have one lying around) between the server's NIC and the server's network port and then plug a laptop in with Wireshark and sniff traffic. Either that or if the server's plugged into a managed switch besides all but the lowest end model, you should be able to turn on port mirroring and sniff traffic that way.

But it's probably easier to leave the NIC on the server unplugged for a period of time that you feel would be long enough to tell whether or not it's being used at all.

Sounds like a really non-standard (and potentially insecure) way of permitting (I'm assuming) external users to tunnel into your LAN. Would think that given the age of the server and the seeing as there are much better methods to achieve the same thing, this is probably something long retired.

Again, lots of assumptions, but without having proper documentation or an accurate picture of the server's role, there's not much else you can do.

gravyface
  • 13,957
  • 19
  • 68
  • 100
  • Indeed, it is an old solution that is in the process of being replaced. We wanted to know a bit more about how it's working because the server is moving to a new data centre and we want to make sure it goes smoothly. But anyway, seems I need to physically get to the server. – gimpy Jul 23 '12 at 05:07
  • you can also run TCPView from Sysinternals: will show you process ID/executable name and all network endpoints; no install necessary. Downside is that it's real-time, no logging, so you'd have to know/expect a connection should be there. Another lightweight option is tcpdump for windows. No PCap (reboot) required, no install. – gravyface Jul 23 '12 at 12:14
0

Sorry, it seems that the server was doing nothing, and it's been doing it for 8 years.

To it's credit it has only been restarted a handful of times and looked in good health!

Using netstat and also looking for exe's running showed all that was needed to determine if a reverse proxy was there.

gimpy
  • 121
  • 3