Suspicious outbound connections from Win2K server

Posted on 2003-11-17
Last Modified: 2013-11-16
Among other things, we are running a software firewall (ZoneAlarm) on a win2K server. Regularly (but never more than once per day), we see blocked TCP connections from a nonprivileged port on our machine to port 443 with the Reset flag set. The process owning the connection is just the Windows Generic Host Process.

The IP's of these outgoing connections either appear to be belong to akamaitechnologies or some ISP.

It is my understanding that the akamaitechnologies connections may be legit proxies (i.e. for windows update, norton, etc), but I'm wondering about the other connections.

I have tried various scans and cannot find evidence of unusual activity or malware on the server. This server provides services to people using a wide variety of ISPs, operating systems, etc.

I tried port scanning the mystery addresses over a period of weeks. The outcome is always the same, regardless of where the IP seems to belong:

22/tcp     open        ssh
80/tcp     open        http
443/tcp    open        https
500/tcp    open        isakmp

Connecting to port 80 doesn't lead to anything interesting such an index page that tells me what kind of things are on the machine.

What the heck is going on, and do I need to worry about this? Thanks.
Question by:banerjek
  • 3
  • 2
  • 2
LVL 18

Expert Comment

ID: 9765416
LVL 35

Expert Comment

ID: 9797597
Note that there may be some services on your machine on on client machines, which may force a connection to the destination you have described. These are i.e. the Windows Update Service as well as the Internet Explorer Update Service, which searches for newer versions on the MS servers. Also the settings of a proxy server may force a connection, esp. if a proxy cache tries to reqfresh its content. If you disable these services, you may see, that these connections may stop. The RST of these connections may be triggered by ZoneAlarm itself, if these traffic is not allowed.

Author Comment

ID: 9798299

A couple quick questions:

1) Just to doublecheck, if this an IE/Windows update matter, would I be able to recognize the IP's that the  connections are being made to? With the exception of the, the IP's seem all over the place. I forgot to mention that I'm not seeing anything in the event logs that looks unusual.

2) Regarding the proxy cache -- this machine provides web and database services. What am I looking for if I want to investigate this possibility. Quickly browsing the services and IIS properties, I couldn't see anything that seemed to apply.

3) Am I correct in assuming the fact that the port scans always show exactly the same thing support one or both of your theories?

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

LVL 18

Expert Comment

ID: 9798408
Note that all of the services that Bembi mentioned run on http.......which is port 80 only.......non of them explain the traffic on your other ports.

Author Comment

ID: 9798621
Actually, the mysterious outbound traffic is always on port 443. I just thought it was interesting that all the outgoing connections that are being blocked happen to go to machines with the exact same ports opened and closed. Normally when we scan machines that are attacking us, we find that we're either completely locked out or that they're running all sorts of strange things.
LVL 35

Accepted Solution

Bembi earned 125 total points
ID: 9798923
1.) I'm not sure about ZoneAlarm, but have a look if you can activate additional logs. A usual firewall is able to log all traffic, which passes any NIC. So your target should be not the NT event log rather than the logfiles of ZoneAlarm, if available.

2.) Also a ZoenAlarm issue

3.) If you make a port scan agains any machine, you get back the listener ports of this machine (or router or firewall). That means only, that there may be services behind these ports.

What JConchie said is right for most of the cases. These services are usually using port 80. 443 is HTTPS, means there is usually a login before this. If the target server rejects the connection, it may be that this is a result of a failed logon. If one of you machines has Windows Messanger installed, this may be a resource for that as WM enforces a Passport logon. (Messanger service uses port 1863 if established, or Terminal Server 3389). Also InstallShield is a point of notice, as the newer IS has an auto update functionality, which definitely uses HTTPS.

Port 22 is SSH Remote Login Protocol, in combination with port 500 (L2PT) and 443, it points me to a logon request to another machine.
. This is unusual, as I use Terminal Server als well as Messanger as well as InstallShield of course, but I never could experience this combination, I would follow JConchies hints to check your system for either Spyware or for a trojan horses.

Author Comment

ID: 9799813
Scan for trojans and spyware came clean. This was not a surprise because this machine sits in a room where no one touches it (except through the network). Messenger and Terminal services are disabled, but your answer has been helpful for understanding this activity.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Static IP 5 81
Firewall Analyzer Reporting Software 4 54
firewall inside of network 9 73
Palo Alto Networks Global Protect 2 103
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now