Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Suspicious outbound connections from Win2K server

Posted on 2003-11-17
Medium Priority
Last Modified: 2013-11-16
Among other things, we are running a software firewall (ZoneAlarm) on a win2K server. Regularly (but never more than once per day), we see blocked TCP connections from a nonprivileged port on our machine to port 443 with the Reset flag set. The process owning the connection is just the Windows Generic Host Process.

The IP's of these outgoing connections either appear to be belong to akamaitechnologies or some ISP.

It is my understanding that the akamaitechnologies connections may be legit proxies (i.e. for windows update, norton, etc), but I'm wondering about the other connections.

I have tried various scans and cannot find evidence of unusual activity or malware on the server. This server provides services to people using a wide variety of ISPs, operating systems, etc.

I tried port scanning the mystery addresses over a period of weeks. The outcome is always the same, regardless of where the IP seems to belong:

22/tcp     open        ssh
80/tcp     open        http
443/tcp    open        https
500/tcp    open        isakmp

Connecting to port 80 doesn't lead to anything interesting such an index page that tells me what kind of things are on the machine.

What the heck is going on, and do I need to worry about this? Thanks.
Question by:banerjek
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 35

Expert Comment

ID: 9797597
Note that there may be some services on your machine on on client machines, which may force a connection to the destination you have described. These are i.e. the Windows Update Service as well as the Internet Explorer Update Service, which searches for newer versions on the MS servers. Also the settings of a proxy server may force a connection, esp. if a proxy cache tries to reqfresh its content. If you disable these services, you may see, that these connections may stop. The RST of these connections may be triggered by ZoneAlarm itself, if these traffic is not allowed.

Author Comment

ID: 9798299

A couple quick questions:

1) Just to doublecheck, if this an IE/Windows update matter, would I be able to recognize the IP's that the  connections are being made to? With the exception of the xxx.deploy.akamaitechnologies.com, the IP's seem all over the place. I forgot to mention that I'm not seeing anything in the event logs that looks unusual.

2) Regarding the proxy cache -- this machine provides web and database services. What am I looking for if I want to investigate this possibility. Quickly browsing the services and IIS properties, I couldn't see anything that seemed to apply.

3) Am I correct in assuming the fact that the port scans always show exactly the same thing support one or both of your theories?

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

LVL 18

Expert Comment

ID: 9798408
Note that all of the services that Bembi mentioned run on http.......which is port 80 only.......non of them explain the traffic on your other ports.

Author Comment

ID: 9798621
Actually, the mysterious outbound traffic is always on port 443. I just thought it was interesting that all the outgoing connections that are being blocked happen to go to machines with the exact same ports opened and closed. Normally when we scan machines that are attacking us, we find that we're either completely locked out or that they're running all sorts of strange things.
LVL 35

Accepted Solution

Bembi earned 375 total points
ID: 9798923
1.) I'm not sure about ZoneAlarm, but have a look if you can activate additional logs. A usual firewall is able to log all traffic, which passes any NIC. So your target should be not the NT event log rather than the logfiles of ZoneAlarm, if available.

2.) Also a ZoenAlarm issue

3.) If you make a port scan agains any machine, you get back the listener ports of this machine (or router or firewall). That means only, that there may be services behind these ports.

What JConchie said is right for most of the cases. These services are usually using port 80. 443 is HTTPS, means there is usually a login before this. If the target server rejects the connection, it may be that this is a result of a failed logon. If one of you machines has Windows Messanger installed, this may be a resource for that as WM enforces a Passport logon. (Messanger service uses port 1863 if established, or Terminal Server 3389). Also InstallShield is a point of notice, as the newer IS has an auto update functionality, which definitely uses HTTPS.

Port 22 is SSH Remote Login Protocol, in combination with port 500 (L2PT) and 443, it points me to a logon request to another machine.
. This is unusual, as I use Terminal Server als well as Messanger as well as InstallShield of course, but I never could experience this combination, I would follow JConchies hints to check your system for either Spyware or for a trojan horses.

Author Comment

ID: 9799813
Scan for trojans and spyware came clean. This was not a surprise because this machine sits in a room where no one touches it (except through the network). Messenger and Terminal services are disabled, but your answer has been helpful for understanding this activity.

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question