Alaska Software Inc. - WAA1SRV.EXE 100% CPU Usage - How to Block IP?
Username: Password:
AuthorTopic: WAA1SRV.EXE 100% CPU Usage - How to Block IP?
Paulo PinheiroWAA1SRV.EXE 100% CPU Usage - How to Block IP?
on Fri, 23 Apr 2010 13:01:04 +0100
Hello All

Sometimes i found my Web Server with 100% CPU Usage.
The problem is a connection established to WAA1SRV.EXE:1024 with CLOSE_WAIT 
status.
The origin of this connection is many times "9.162.158.61.ha.cnc".

I have already blocked this IP in the IIS, but it keeps comming...

Is there a way to block the IP from accessing WAA1SRV in the configuration 
of  the WAA?

TIA,
Paulo Pinheiro
Bruce AndersonRe: WAA1SRV.EXE 100% CPU Usage - How to Block IP?
on Fri, 23 Apr 2010 08:07:30 -0500
CNC Group CHINA169 Henan Province Network

      Address (click for more detail):  61.158.162.9 
      Hostname:  9.162.158.61.ha.cnc 
      Country:  CN  
      AS:  4837  
      AS Name:  CHINA169-BACKBONE CNCGROUP China169 Backbone 
      Network:  61.158.128.0/17  
      Reports:  1436837 
      Targets:  1778 
      First Reported:  2009-09-10 
      Most Recent Report:  2010-04-23
Thomas Braun
Re: WAA1SRV.EXE 100% CPU Usage - How to Block IP?
on Fri, 23 Apr 2010 15:37:47 +0200
Paulo Pinheiro wrote:

> The origin of this connection is many times "9.162.158.61.ha.cnc".
> 
> I have already blocked this IP in the IIS, but it keeps comming...

Which IP did you block exactly, "9.162.158.61" ?

If yes, then you are wrong 

The notation above is reversed, so the actual IP to be blocked is
61.158.162.9

You can also confirm this by doing a reverse DNS lookup at 
http://remote.12dt.com/lookup.php with both IPs.

regards
Thomas
Paulo PinheiroRe: WAA1SRV.EXE 100% CPU Usage - How to Block IP?
on Mon, 26 Apr 2010 11:36:17 +0100
> Which IP did you block exactly, "9.162.158.61" ?
>
> If yes, then you are wrong 

Yep, i was wrong :$

Thank you.



"Thomas Braun" <spam@software-braun.de> escreveu na mensagem 
news:aqzx7syokr4t$.ioaaus4qjjz1$.dlg@40tude.net...
> Paulo Pinheiro wrote:
>
>> The origin of this connection is many times "9.162.158.61.ha.cnc".
>>
>> I have already blocked this IP in the IIS, but it keeps comming...
>
> Which IP did you block exactly, "9.162.158.61" ?
>
> If yes, then you are wrong 
>
> The notation above is reversed, so the actual IP to be blocked is
> 61.158.162.9
>
> You can also confirm this by doing a reverse DNS lookup at
> http://remote.12dt.com/lookup.php with both IPs.
>
> regards
> Thomas
Thomas Braun
Re: WAA1SRV.EXE 100% CPU Usage - How to Block IP?
on Mon, 26 Apr 2010 17:25:44 +0200
Paulo Pinheiro wrote:

>> Which IP did you block exactly, "9.162.158.61" ?
>>
>> If yes, then you are wrong 
> 
> Yep, i was wrong :$

g

> Thank you.

You are welcome 

Thomas