Solved

Windows SBS 2008 scans old subnet

Posted on 2011-09-05
12
498 Views
Last Modified: 2012-06-27
We have a Windows SBS 2008 which replaced a Windows 2000 Standard server. Together with the migration we changed the internal subnet, this because someone in the past had chosen 90.1.0.0/24 as the internal subnet. During a short time both the old and the new subnet (192.168.111.0/24) where configured on the server and in use. After the migration, we removed the 19.1.0.0/24 subnet from the server and all PCs.
But at the moment the SBS server does a scan of the 90.1.0.0/24 subnet at regular intervals, e.g. one of theses starts at 4:00pm everyday. It checks every address in the range through pings, it sends snmp, netbios (port 139) and smb over tcp (port 445) requests. The process from which this originates is the system process. This matters because the subnet it scans is a public subnet.
I have checked for traces of the 90.1.0.0/24 address in the registry and removed everything, but the problem stays.
What causes this?

- Jac
0
Comment
Question by:JacBackus
  • 6
  • 5
12 Comments
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 36484714
Interesting that it runs at precisely 4PM.  What is in Control Panel - Scheduled Tasks that might trigger this, and what, if anything, is called by the scheduled task?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 36484749
This sounds like a 3rd party app doing the scan, not a windows process. Anything installed that does IP or device monitoring?
0
 

Author Comment

by:JacBackus
ID: 36484836
@RobWill: YES. Kaspersky Administration Kit. It did a network scan of the 90.1.0.0/24 net and I did not remove this range. Thanks! I never checked the Administration Kit because the scan originated from the system process.

- Jac
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36484882
Good to hear. Kaspersy would be run using the system account so it would show up as a system process.
Thanks Jac
Cheers!
--Rob
0
 

Author Comment

by:JacBackus
ID: 36485060
BTW: Is there a way to see which service uses the system account to contact a certain address through the system process?

- Jac
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36485172
I don't know of a way to tell what services use the system account but the opposite is possible. If you look at the properties of a service in the services management console you can see what account it uses.
Process Monitor might help:
http://technet.microsoft.com/en-us/sysinternals/bb896645
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:JacBackus
ID: 36485227
Sysinternals Process Monitor and TCPview both show the address as belonging to the system process.
It would be nice if you somehow could see which connection belongs to which service.

- Jac
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36485338
you can run from a command line:
netstat -ano
on the far right of the connection is the PID (process ID) which you can find in the task manager. You may have to add the PID column under view. However most often it too returns system
0
 

Author Comment

by:JacBackus
ID: 36485352
Rob, thanks. But in this case it did also return system...
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36485382
The only way to do it for sure is to use a packet sniffer like wireshark and did through thousands of pages of logs and locate it. Using filters can save a lot of time.
http://www.wireshark.org/
0
 

Author Comment

by:JacBackus
ID: 36485416
RobWill, thanks for still  answering with the points already given. But I would have found the problem myself if I could have traced it to Kaspersky Administration Kit.
I found the traffic to the 90.1.0.0/24 subnet through wireshark and and filter for traffic with a destination outside the local subnet. But is there a way to relate traffic this way to a process?

- Jac
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36485451
I don't know. Wirshark usually requires combining a lot of assumptions based on protocols, ports used, and such, combined with personal experience and knowlege. Most often it will not tell you the actual application/process but knowing the types of traffic generated by a process you can usually narrow it down.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now