Solved

Process called " system:8 " is listening on all kinds of ports on GFI Mail Essentials for Exchange box on my DMZ.  What is this process?

Posted on 2004-10-20
26
711 Views
Last Modified: 2012-06-21
I need to know what this process is.  Found it after running Sysinternals TCPView.

NOTE:

1)  Recently had a virus storm on the network which has been handled now.

2) Queue folder on the GFI Mail Essentials for Exchange box is overflowing with items.  Averaging about 20,000 items at any given time on a 200 computer network.  Seems like the items are being created about 1-5 every minute.  Having to stop and start the SMTP service once in a while or mail seems to stop or come back undeliverable.

3) I think this machine (or another) may have a mass mailer of some kind, but Norton Corporate Edition is not detecting anything on the network machines.


Is the process "system:8" related to the overflowing  queue folder?

JUST A HEADS UP:                  I didn't install the Mail Essentials or the Exchange and I am no expert on either of them.
0
Comment
Question by:NCSO
  • 15
  • 8
  • 2
  • +1
26 Comments
 
LVL 20

Expert Comment

by:DVation191
ID: 12359990
Download Port Explorer.
http://www.diamondcs.com.au/portexplorer/index.php?page=download

It will tell you which process is opening ports on your PC.

Screenshots...
http://www.diamondcs.com.au/portexplorer/index.php?page=screenshots
0
 

Author Comment

by:NCSO
ID: 12360064
I already know what process is opening ports.  That is what the TCPView told me.  A process called system:8 is using a large number of ports.  They actually vary from Listening to Established to Time_Wait.
0
 
LVL 20

Expert Comment

by:DVation191
ID: 12360210
"I need to know what this process is." ... "I already know what process is opening ports." ... okay, I'm confused =)

system:8.exe is not a valid file name in windows. are you trying to say there is a process called system using port 8 that you suspect is sending out all these emails?
0
 
LVL 3

Expert Comment

by:tomv011397
ID: 12360473
Can you cut a screen shot of the Netstat output? It should look like this (but bigger)

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    darlington:echo        darlington.USA411.com:0  LISTENING
  TCP    darlington:discard     darlington.USA411.com:0  LISTENING
  TCP    darlington:daytime     darlington.USA411.com:0  LISTENING
  TCP    darlington:qotd        darlington.USA411.com:0  LISTENING
  TCP    darlington:chargen     darlington.USA411.com:0  LISTENING
  TCP    darlington:ftp         darlington.USA411.com:0  LISTENING
  TCP    darlington:smtp        darlington.USA411.com:0  LISTENING
  TCP    darlington:http        darlington.USA411.com:0  LISTENING

Tom
0
 

Author Comment

by:NCSO
ID: 12361131
OK....  I installed and ran Sysinternals' program called TCPView.  This program gives a real time view of all open ports on a PC.  When I run it, there is an item called " system:8 " in the column called " process " that is opening, using and or listening on a large number of ports.  I should have said that I need to know what program or virus or exploit this "process" is related to.  Please note that this "process" called "system:8" does not appear anywhere in Task Manager or the registry or as a file on the hard drive.

I suspect that "system:8" is possibly part of a mass mailer but I can not find any info on it on any search engine.

I will be happy to post a screen shot if someone will tell me how.  I am new to EE.
0
 
LVL 20

Expert Comment

by:DVation191
ID: 12361179
If you could, can you download Port Explorer (posted above) and see if it reports that same process file name?
0
 

Author Comment

by:NCSO
ID: 12361220
If you go here you can at least look at the interface I am seeing.  "system:8" is showing up in the left-most column, labeled "process".   http://www.sysinternals.com/ntw2k/source/tcpview.shtml
0
 

Author Comment

by:NCSO
ID: 12361231
Yes , I will try to get Port Explorer.
0
 

Author Comment

by:NCSO
ID: 12361326
I downloaded and installed Port Explorer Demo, but it requires a reboot and I am not comfortable with that at this point.  The last time it was rebooted, I think it had an issue coming back up.
0
 

Author Comment

by:NCSO
ID: 12361469
[URL=http://www.imagevenue.com/my.php?loc=web2/&image=55d42_TCPView.JPG][IMG]http://www.imagevenue.com/host/web2/th_55d42_TCPView.JPG[/IMG][/URL]

Hope this works.  This is screen shot of the "process" in question.
0
 

Author Comment

by:NCSO
ID: 12361519
Didn't work.
0
 

Author Comment

by:NCSO
ID: 12361534
0
 

Author Comment

by:NCSO
ID: 12361546
OK that worked.  The list is a lot longer than the screen shot will allow.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 7

Accepted Solution

by:
NetExpert earned 500 total points
ID: 12365203
SysInternal has another product name Process Explorer which I am using. Try that and you will see all hidden process listed (with provider name, explanation, etc). Sorry but your screenshot in insufficient and I can't say anything about it except your system looks suspicious (lots of outgoing connection to smtp).

System is your system process, and 8 is its PID, that's how you have system:8. There is no such thing as system:8.exe.
System is a parent process which include lots of child process underneath, including things like svchost.exe, lsass.exe etc. You can't find it on google anyway.

Port explorer is for finding virus by examining port, but since you have mail server, looking at your process and try to scan for virus is a better way.

My conclusion is: you have a virus on your mailing system and it's using system process to sending mail out. Norton is not a very reliable tool when it comes to fixing virus. Try something else (McAffee) and Windows repairing feature, or re-install the mail server.

0
 

Author Comment

by:NCSO
ID: 12368896
Port Explorer did run without a reboot and after running it, I too determined that "system:8" was a misnomer.  Port explorer just shows it as "system" and a process ID of 8.
0
 
LVL 20

Expert Comment

by:DVation191
ID: 12369426
well that only kind-of clears things up hehe. where is system.exe located on your box?
I would be skeptical of this process. put system.exe into google and you'll see nothing but pages and pages of references to viruses. If you run Process Explorer ... do you have any System.exe processes running? Or is there only one, call System, with no .exe extension?
To my knowledge there is no system.exe installed with 2000 Server. I just searched my exchange box and found nothing. Even searched a 2000 pro and XP pro machine...no system.exe

So does process explorer show a system.exe or just system?
0
 

Author Comment

by:NCSO
ID: 12369648
Don't have PE, but the only "system" process running in task manager is "system" with no extension.  I too was aware of the system.exe virus issue due to a recent infection.  I have become pretty familiar with what is normal for processes running in task manager.  As a matter of fact one of the first steps I took was to either rule out or look up every process running on the machine.  I will get the PE just to be sure though.
0
 
LVL 20

Expert Comment

by:DVation191
ID: 12369681
Free Systernals Download (Process Explorer)
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml download at the bottom
0
 

Author Comment

by:NCSO
ID: 12369795
I got it.  PE also only shows "system" with no extension.
0
 
LVL 20

Expert Comment

by:DVation191
ID: 12370236
The system process contains system threads, which are kernel mode threads. Windows and various device drivers create system process threads for various reasons. For example, the memory manager creates system threads for performing virtual memory tasks, the cache manager uses system threads for managing cache memory, and the floppy disk driver uses a system thread to monitor the floppy drives. I don't know how this will help figure out why there are so many instances of System. If I think of anything else I'll post back again.
0
 
LVL 7

Expert Comment

by:NetExpert
ID: 12370814
That's ok,
First, there should be a '+' sign on the left of 'system' process (using PE to view). Click it and PE will list all child process under system control. See if any thing odd, and try to kill unknown process to see if you still have problem with mail (there will be explanation next to each process).

Or click on 'system' process. There will be a small frame below the navigation window showing things used by 'system', with type and name (such as Directory, Event, File, Key, Thread, Process etc). Have a close look at that (especially at the File reference), and you may find something that is not yours (quite hard to see, but it's time to get used to your system :) ). For anything suspicious, search google for a virus reference.

Anyway, I think you'd better try another virus scanner, malware and trojan scanner. Even verify the integrity of your system and mail server. As far as I know, Norton is no used again trojan and mass mailer.

Good luck again.
0
 

Author Comment

by:NCSO
ID: 12374606
Running two spyware scanners against it now.  Don't know why I didn't think to do that before.
0
 
LVL 20

Expert Comment

by:DVation191
ID: 12376997
Which two are you running? Might want to give it another virus scan..just in case...
http://housecall.antivirus.com/housecall/start_frame.asp
0
 

Author Comment

by:NCSO
ID: 12380317
AdAware and Spysweeper and also ran another virus scan.  Only found Alexa Toolbar and the usual cookies.  I think I am going to start from scratch on this box.  After talking to GFI I need to update the ME software anyway, which will require a scratch load.  Thanks for all the help everyone!
0
 
LVL 20

Expert Comment

by:DVation191
ID: 12380355
You accepted an answer but you gave no solution. What was causing the email flood?
0
 

Author Comment

by:NCSO
ID: 12380382
Everyone helped, but NetExpert got the points because he picked up on the fact that system:8 was not actually a "process".
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Article by: IanTh
Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now