Suspicious outbound connections from Win2K server

Posted on 2003-11-17
Last Modified: 2013-11-16
Among other things, we are running a software firewall (ZoneAlarm) on a win2K server. Regularly (but never more than once per day), we see blocked TCP connections from a nonprivileged port on our machine to port 443 with the Reset flag set. The process owning the connection is just the Windows Generic Host Process.

The IP's of these outgoing connections either appear to be belong to akamaitechnologies or some ISP.

It is my understanding that the akamaitechnologies connections may be legit proxies (i.e. for windows update, norton, etc), but I'm wondering about the other connections.

I have tried various scans and cannot find evidence of unusual activity or malware on the server. This server provides services to people using a wide variety of ISPs, operating systems, etc.

I tried port scanning the mystery addresses over a period of weeks. The outcome is always the same, regardless of where the IP seems to belong:

22/tcp     open        ssh
80/tcp     open        http
443/tcp    open        https
500/tcp    open        isakmp

Connecting to port 80 doesn't lead to anything interesting such an index page that tells me what kind of things are on the machine.

What the heck is going on, and do I need to worry about this? Thanks.
Question by:banerjek
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 18

Expert Comment

ID: 9765416
LVL 35

Expert Comment

ID: 9797597
Note that there may be some services on your machine on on client machines, which may force a connection to the destination you have described. These are i.e. the Windows Update Service as well as the Internet Explorer Update Service, which searches for newer versions on the MS servers. Also the settings of a proxy server may force a connection, esp. if a proxy cache tries to reqfresh its content. If you disable these services, you may see, that these connections may stop. The RST of these connections may be triggered by ZoneAlarm itself, if these traffic is not allowed.

Author Comment

ID: 9798299

A couple quick questions:

1) Just to doublecheck, if this an IE/Windows update matter, would I be able to recognize the IP's that the  connections are being made to? With the exception of the, the IP's seem all over the place. I forgot to mention that I'm not seeing anything in the event logs that looks unusual.

2) Regarding the proxy cache -- this machine provides web and database services. What am I looking for if I want to investigate this possibility. Quickly browsing the services and IIS properties, I couldn't see anything that seemed to apply.

3) Am I correct in assuming the fact that the port scans always show exactly the same thing support one or both of your theories?

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

LVL 18

Expert Comment

ID: 9798408
Note that all of the services that Bembi mentioned run on http.......which is port 80 only.......non of them explain the traffic on your other ports.

Author Comment

ID: 9798621
Actually, the mysterious outbound traffic is always on port 443. I just thought it was interesting that all the outgoing connections that are being blocked happen to go to machines with the exact same ports opened and closed. Normally when we scan machines that are attacking us, we find that we're either completely locked out or that they're running all sorts of strange things.
LVL 35

Accepted Solution

Bembi earned 125 total points
ID: 9798923
1.) I'm not sure about ZoneAlarm, but have a look if you can activate additional logs. A usual firewall is able to log all traffic, which passes any NIC. So your target should be not the NT event log rather than the logfiles of ZoneAlarm, if available.

2.) Also a ZoenAlarm issue

3.) If you make a port scan agains any machine, you get back the listener ports of this machine (or router or firewall). That means only, that there may be services behind these ports.

What JConchie said is right for most of the cases. These services are usually using port 80. 443 is HTTPS, means there is usually a login before this. If the target server rejects the connection, it may be that this is a result of a failed logon. If one of you machines has Windows Messanger installed, this may be a resource for that as WM enforces a Passport logon. (Messanger service uses port 1863 if established, or Terminal Server 3389). Also InstallShield is a point of notice, as the newer IS has an auto update functionality, which definitely uses HTTPS.

Port 22 is SSH Remote Login Protocol, in combination with port 500 (L2PT) and 443, it points me to a logon request to another machine.
. This is unusual, as I use Terminal Server als well as Messanger as well as InstallShield of course, but I never could experience this combination, I would follow JConchies hints to check your system for either Spyware or for a trojan horses.

Author Comment

ID: 9799813
Scan for trojans and spyware came clean. This was not a surprise because this machine sits in a room where no one touches it (except through the network). Messenger and Terminal services are disabled, but your answer has been helpful for understanding this activity.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Checkpoint books 3 102
Class Map is not matching traffic on Global Policy??? 2 52
Logging pfSense on Kiwi 4 78
McAfee LiveSafe firewall is blocking a safe website 3 119
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below.…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question