banerjek
asked on
Suspicious outbound connections from Win2K server
Among other things, we are running a software firewall (ZoneAlarm) on a win2K server. Regularly (but never more than once per day), we see blocked TCP connections from a nonprivileged port on our machine to port 443 with the Reset flag set. The process owning the connection is just the Windows Generic Host Process.
The IP's of these outgoing connections either appear to be belong to akamaitechnologies or some ISP.
It is my understanding that the akamaitechnologies connections may be legit proxies (i.e. for windows update, norton, etc), but I'm wondering about the other connections.
I have tried various scans and cannot find evidence of unusual activity or malware on the server. This server provides services to people using a wide variety of ISPs, operating systems, etc.
I tried port scanning the mystery addresses over a period of weeks. The outcome is always the same, regardless of where the IP seems to belong:
22/tcp open ssh
80/tcp open http
443/tcp open https
500/tcp open isakmp
Connecting to port 80 doesn't lead to anything interesting such an index page that tells me what kind of things are on the machine.
What the heck is going on, and do I need to worry about this? Thanks.
The IP's of these outgoing connections either appear to be belong to akamaitechnologies or some ISP.
It is my understanding that the akamaitechnologies connections may be legit proxies (i.e. for windows update, norton, etc), but I'm wondering about the other connections.
I have tried various scans and cannot find evidence of unusual activity or malware on the server. This server provides services to people using a wide variety of ISPs, operating systems, etc.
I tried port scanning the mystery addresses over a period of weeks. The outcome is always the same, regardless of where the IP seems to belong:
22/tcp open ssh
80/tcp open http
443/tcp open https
500/tcp open isakmp
Connecting to port 80 doesn't lead to anything interesting such an index page that tells me what kind of things are on the machine.
What the heck is going on, and do I need to worry about this? Thanks.
Note that there may be some services on your machine on on client machines, which may force a connection to the destination you have described. These are i.e. the Windows Update Service as well as the Internet Explorer Update Service, which searches for newer versions on the MS servers. Also the settings of a proxy server may force a connection, esp. if a proxy cache tries to reqfresh its content. If you disable these services, you may see, that these connections may stop. The RST of these connections may be triggered by ZoneAlarm itself, if these traffic is not allowed.
ASKER
Bembi,
A couple quick questions:
1) Just to doublecheck, if this an IE/Windows update matter, would I be able to recognize the IP's that the connections are being made to? With the exception of the xxx.deploy.akamaitechnolog
2) Regarding the proxy cache -- this machine provides web and database services. What am I looking for if I want to investigate this possibility. Quickly browsing the services and IIS properties, I couldn't see anything that seemed to apply.
3) Am I correct in assuming the fact that the port scans always show exactly the same thing support one or both of your theories?
Thanks
A couple quick questions:
1) Just to doublecheck, if this an IE/Windows update matter, would I be able to recognize the IP's that the connections are being made to? With the exception of the xxx.deploy.akamaitechnolog
2) Regarding the proxy cache -- this machine provides web and database services. What am I looking for if I want to investigate this possibility. Quickly browsing the services and IIS properties, I couldn't see anything that seemed to apply.
3) Am I correct in assuming the fact that the port scans always show exactly the same thing support one or both of your theories?
Thanks
Note that all of the services that Bembi mentioned run on http.......which is port 80 only.......non of them explain the traffic on your other ports.
ASKER
Actually, the mysterious outbound traffic is always on port 443. I just thought it was interesting that all the outgoing connections that are being blocked happen to go to machines with the exact same ports opened and closed. Normally when we scan machines that are attacking us, we find that we're either completely locked out or that they're running all sorts of strange things.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Scan for trojans and spyware came clean. This was not a surprise because this machine sits in a room where no one touches it (except through the network). Messenger and Terminal services are disabled, but your answer has been helpful for understanding this activity.
What is spyware : http://www.spychecker.com/spyware.html
SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml
Ad-aware : http://www.webattack.com/download/dladaware.shtml
Trojan Remover :http://www.simplysup.com/
HijackThis : http://www.webattack.com/download/dlhijackthis.shtml
KL-Detector :http://www.webattack.com/download/dlkldetector.shtml
X-Cleaner Free :http://www.webattack.com/download/dlxcleaner.shtml
SpywareBlaster :http://www.webattack.com/download/dlspywareblaster.shtml
SpywareGuard :http://www.webattack.com/download/dlspywareguard.shtml
SpySites :http://www.webattack.com/download/dlspysites.shtml
Keylogger Hunter :http://www.webattack.com/download/dlklhunter.shtml
Spycop: http://www.spycop.com/
Goodbye Spy http://www.topshareware.com/GoodBye-Spy-download-2012.htm
Other spyware removal instructions: http://www.pchell.com/support/click2findnow.shtml