Suspicious outbound connections from Win2K server
Posted on 2003-11-17
Among other things, we are running a software firewall (ZoneAlarm) on a win2K server. Regularly (but never more than once per day), we see blocked TCP connections from a nonprivileged port on our machine to port 443 with the Reset flag set. The process owning the connection is just the Windows Generic Host Process.
The IP's of these outgoing connections either appear to be belong to akamaitechnologies or some ISP.
It is my understanding that the akamaitechnologies connections may be legit proxies (i.e. for windows update, norton, etc), but I'm wondering about the other connections.
I have tried various scans and cannot find evidence of unusual activity or malware on the server. This server provides services to people using a wide variety of ISPs, operating systems, etc.
I tried port scanning the mystery addresses over a period of weeks. The outcome is always the same, regardless of where the IP seems to belong:
22/tcp open ssh
80/tcp open http
443/tcp open https
500/tcp open isakmp
Connecting to port 80 doesn't lead to anything interesting such an index page that tells me what kind of things are on the machine.
What the heck is going on, and do I need to worry about this? Thanks.