Suspicious outbound connections from Win2K server

Among other things, we are running a software firewall (ZoneAlarm) on a win2K server. Regularly (but never more than once per day), we see blocked TCP connections from a nonprivileged port on our machine to port 443 with the Reset flag set. The process owning the connection is just the Windows Generic Host Process.

The IP's of these outgoing connections either appear to be belong to akamaitechnologies or some ISP.

It is my understanding that the akamaitechnologies connections may be legit proxies (i.e. for windows update, norton, etc), but I'm wondering about the other connections.

I have tried various scans and cannot find evidence of unusual activity or malware on the server. This server provides services to people using a wide variety of ISPs, operating systems, etc.

I tried port scanning the mystery addresses over a period of weeks. The outcome is always the same, regardless of where the IP seems to belong:

22/tcp     open        ssh
80/tcp     open        http
443/tcp    open        https
500/tcp    open        isakmp

Connecting to port 80 doesn't lead to anything interesting such an index page that tells me what kind of things are on the machine.

What the heck is going on, and do I need to worry about this? Thanks.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Note that there may be some services on your machine on on client machines, which may force a connection to the destination you have described. These are i.e. the Windows Update Service as well as the Internet Explorer Update Service, which searches for newer versions on the MS servers. Also the settings of a proxy server may force a connection, esp. if a proxy cache tries to reqfresh its content. If you disable these services, you may see, that these connections may stop. The RST of these connections may be triggered by ZoneAlarm itself, if these traffic is not allowed.
banerjekAuthor Commented:

A couple quick questions:

1) Just to doublecheck, if this an IE/Windows update matter, would I be able to recognize the IP's that the  connections are being made to? With the exception of the, the IP's seem all over the place. I forgot to mention that I'm not seeing anything in the event logs that looks unusual.

2) Regarding the proxy cache -- this machine provides web and database services. What am I looking for if I want to investigate this possibility. Quickly browsing the services and IIS properties, I couldn't see anything that seemed to apply.

3) Am I correct in assuming the fact that the port scans always show exactly the same thing support one or both of your theories?

Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Note that all of the services that Bembi mentioned run on http.......which is port 80 only.......non of them explain the traffic on your other ports.
banerjekAuthor Commented:
Actually, the mysterious outbound traffic is always on port 443. I just thought it was interesting that all the outgoing connections that are being blocked happen to go to machines with the exact same ports opened and closed. Normally when we scan machines that are attacking us, we find that we're either completely locked out or that they're running all sorts of strange things.
1.) I'm not sure about ZoneAlarm, but have a look if you can activate additional logs. A usual firewall is able to log all traffic, which passes any NIC. So your target should be not the NT event log rather than the logfiles of ZoneAlarm, if available.

2.) Also a ZoenAlarm issue

3.) If you make a port scan agains any machine, you get back the listener ports of this machine (or router or firewall). That means only, that there may be services behind these ports.

What JConchie said is right for most of the cases. These services are usually using port 80. 443 is HTTPS, means there is usually a login before this. If the target server rejects the connection, it may be that this is a result of a failed logon. If one of you machines has Windows Messanger installed, this may be a resource for that as WM enforces a Passport logon. (Messanger service uses port 1863 if established, or Terminal Server 3389). Also InstallShield is a point of notice, as the newer IS has an auto update functionality, which definitely uses HTTPS.

Port 22 is SSH Remote Login Protocol, in combination with port 500 (L2PT) and 443, it points me to a logon request to another machine.
. This is unusual, as I use Terminal Server als well as Messanger as well as InstallShield of course, but I never could experience this combination, I would follow JConchies hints to check your system for either Spyware or for a trojan horses.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
banerjekAuthor Commented:
Scan for trojans and spyware came clean. This was not a surprise because this machine sits in a room where no one touches it (except through the network). Messenger and Terminal services are disabled, but your answer has been helpful for understanding this activity.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.