Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Windows SBS 2008 scans old subnet

Posted on 2011-09-05
12
Medium Priority
?
536 Views
Last Modified: 2012-06-27
We have a Windows SBS 2008 which replaced a Windows 2000 Standard server. Together with the migration we changed the internal subnet, this because someone in the past had chosen 90.1.0.0/24 as the internal subnet. During a short time both the old and the new subnet (192.168.111.0/24) where configured on the server and in use. After the migration, we removed the 19.1.0.0/24 subnet from the server and all PCs.
But at the moment the SBS server does a scan of the 90.1.0.0/24 subnet at regular intervals, e.g. one of theses starts at 4:00pm everyday. It checks every address in the range through pings, it sends snmp, netbios (port 139) and smb over tcp (port 445) requests. The process from which this originates is the system process. This matters because the subnet it scans is a public subnet.
I have checked for traces of the 90.1.0.0/24 address in the registry and removed everything, but the problem stays.
What causes this?

- Jac
0
Comment
Question by:JacBackus
  • 6
  • 5
12 Comments
 
LVL 22

Expert Comment

by:Larry Struckmeyer MVP
ID: 36484714
Interesting that it runs at precisely 4PM.  What is in Control Panel - Scheduled Tasks that might trigger this, and what, if anything, is called by the scheduled task?
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 36484749
This sounds like a 3rd party app doing the scan, not a windows process. Anything installed that does IP or device monitoring?
0
 

Author Comment

by:JacBackus
ID: 36484836
@RobWill: YES. Kaspersky Administration Kit. It did a network scan of the 90.1.0.0/24 net and I did not remove this range. Thanks! I never checked the Administration Kit because the scan originated from the system process.

- Jac
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 78

Expert Comment

by:Rob Williams
ID: 36484882
Good to hear. Kaspersy would be run using the system account so it would show up as a system process.
Thanks Jac
Cheers!
--Rob
0
 

Author Comment

by:JacBackus
ID: 36485060
BTW: Is there a way to see which service uses the system account to contact a certain address through the system process?

- Jac
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 36485172
I don't know of a way to tell what services use the system account but the opposite is possible. If you look at the properties of a service in the services management console you can see what account it uses.
Process Monitor might help:
http://technet.microsoft.com/en-us/sysinternals/bb896645
0
 

Author Comment

by:JacBackus
ID: 36485227
Sysinternals Process Monitor and TCPview both show the address as belonging to the system process.
It would be nice if you somehow could see which connection belongs to which service.

- Jac
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 36485338
you can run from a command line:
netstat -ano
on the far right of the connection is the PID (process ID) which you can find in the task manager. You may have to add the PID column under view. However most often it too returns system
0
 

Author Comment

by:JacBackus
ID: 36485352
Rob, thanks. But in this case it did also return system...
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 36485382
The only way to do it for sure is to use a packet sniffer like wireshark and did through thousands of pages of logs and locate it. Using filters can save a lot of time.
http://www.wireshark.org/
0
 

Author Comment

by:JacBackus
ID: 36485416
RobWill, thanks for still  answering with the points already given. But I would have found the problem myself if I could have traced it to Kaspersky Administration Kit.
I found the traffic to the 90.1.0.0/24 subnet through wireshark and and filter for traffic with a destination outside the local subnet. But is there a way to relate traffic this way to a process?

- Jac
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 36485451
I don't know. Wirshark usually requires combining a lot of assumptions based on protocols, ports used, and such, combined with personal experience and knowlege. Most often it will not tell you the actual application/process but knowing the types of traffic generated by a process you can usually narrow it down.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question