Solved

Suspicious outbound connections from Win2K server

Posted on 2003-11-17
7
5,502 Views
Last Modified: 2013-11-16
Among other things, we are running a software firewall (ZoneAlarm) on a win2K server. Regularly (but never more than once per day), we see blocked TCP connections from a nonprivileged port on our machine to port 443 with the Reset flag set. The process owning the connection is just the Windows Generic Host Process.

The IP's of these outgoing connections either appear to be belong to akamaitechnologies or some ISP.

It is my understanding that the akamaitechnologies connections may be legit proxies (i.e. for windows update, norton, etc), but I'm wondering about the other connections.

I have tried various scans and cannot find evidence of unusual activity or malware on the server. This server provides services to people using a wide variety of ISPs, operating systems, etc.

I tried port scanning the mystery addresses over a period of weeks. The outcome is always the same, regardless of where the IP seems to belong:

22/tcp     open        ssh
80/tcp     open        http
443/tcp    open        https
500/tcp    open        isakmp

Connecting to port 80 doesn't lead to anything interesting such an index page that tells me what kind of things are on the machine.

What the heck is going on, and do I need to worry about this? Thanks.
0
Comment
Question by:banerjek
  • 3
  • 2
  • 2
7 Comments
 
LVL 18

Expert Comment

by:JConchie
Comment Utility
0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
Note that there may be some services on your machine on on client machines, which may force a connection to the destination you have described. These are i.e. the Windows Update Service as well as the Internet Explorer Update Service, which searches for newer versions on the MS servers. Also the settings of a proxy server may force a connection, esp. if a proxy cache tries to reqfresh its content. If you disable these services, you may see, that these connections may stop. The RST of these connections may be triggered by ZoneAlarm itself, if these traffic is not allowed.
0
 
LVL 1

Author Comment

by:banerjek
Comment Utility
Bembi,

A couple quick questions:

1) Just to doublecheck, if this an IE/Windows update matter, would I be able to recognize the IP's that the  connections are being made to? With the exception of the xxx.deploy.akamaitechnologies.com, the IP's seem all over the place. I forgot to mention that I'm not seeing anything in the event logs that looks unusual.

2) Regarding the proxy cache -- this machine provides web and database services. What am I looking for if I want to investigate this possibility. Quickly browsing the services and IIS properties, I couldn't see anything that seemed to apply.

3) Am I correct in assuming the fact that the port scans always show exactly the same thing support one or both of your theories?

Thanks
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 18

Expert Comment

by:JConchie
Comment Utility
Note that all of the services that Bembi mentioned run on http.......which is port 80 only.......non of them explain the traffic on your other ports.
0
 
LVL 1

Author Comment

by:banerjek
Comment Utility
Actually, the mysterious outbound traffic is always on port 443. I just thought it was interesting that all the outgoing connections that are being blocked happen to go to machines with the exact same ports opened and closed. Normally when we scan machines that are attacking us, we find that we're either completely locked out or that they're running all sorts of strange things.
0
 
LVL 35

Accepted Solution

by:
Bembi earned 125 total points
Comment Utility
1.) I'm not sure about ZoneAlarm, but have a look if you can activate additional logs. A usual firewall is able to log all traffic, which passes any NIC. So your target should be not the NT event log rather than the logfiles of ZoneAlarm, if available.

2.) Also a ZoenAlarm issue

3.) If you make a port scan agains any machine, you get back the listener ports of this machine (or router or firewall). That means only, that there may be services behind these ports.

What JConchie said is right for most of the cases. These services are usually using port 80. 443 is HTTPS, means there is usually a login before this. If the target server rejects the connection, it may be that this is a result of a failed logon. If one of you machines has Windows Messanger installed, this may be a resource for that as WM enforces a Passport logon. (Messanger service uses port 1863 if established, or Terminal Server 3389). Also InstallShield is a point of notice, as the newer IS has an auto update functionality, which definitely uses HTTPS.

Port 22 is SSH Remote Login Protocol, in combination with port 500 (L2PT) and 443, it points me to a logon request to another machine.
. This is unusual, as I use Terminal Server als well as Messanger as well as InstallShield of course, but I never could experience this combination, I would follow JConchies hints to check your system for either Spyware or for a trojan horses.
0
 
LVL 1

Author Comment

by:banerjek
Comment Utility
Scan for trojans and spyware came clean. This was not a surprise because this machine sits in a room where no one touches it (except through the network). Messenger and Terminal services are disabled, but your answer has been helpful for understanding this activity.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now