Solved

Windows SBS 2008 scans old subnet

Posted on 2011-09-05
12
501 Views
Last Modified: 2012-06-27
We have a Windows SBS 2008 which replaced a Windows 2000 Standard server. Together with the migration we changed the internal subnet, this because someone in the past had chosen 90.1.0.0/24 as the internal subnet. During a short time both the old and the new subnet (192.168.111.0/24) where configured on the server and in use. After the migration, we removed the 19.1.0.0/24 subnet from the server and all PCs.
But at the moment the SBS server does a scan of the 90.1.0.0/24 subnet at regular intervals, e.g. one of theses starts at 4:00pm everyday. It checks every address in the range through pings, it sends snmp, netbios (port 139) and smb over tcp (port 445) requests. The process from which this originates is the system process. This matters because the subnet it scans is a public subnet.
I have checked for traces of the 90.1.0.0/24 address in the registry and removed everything, but the problem stays.
What causes this?

- Jac
0
Comment
Question by:JacBackus
  • 6
  • 5
12 Comments
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 36484714
Interesting that it runs at precisely 4PM.  What is in Control Panel - Scheduled Tasks that might trigger this, and what, if anything, is called by the scheduled task?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 36484749
This sounds like a 3rd party app doing the scan, not a windows process. Anything installed that does IP or device monitoring?
0
 

Author Comment

by:JacBackus
ID: 36484836
@RobWill: YES. Kaspersky Administration Kit. It did a network scan of the 90.1.0.0/24 net and I did not remove this range. Thanks! I never checked the Administration Kit because the scan originated from the system process.

- Jac
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 36484882
Good to hear. Kaspersy would be run using the system account so it would show up as a system process.
Thanks Jac
Cheers!
--Rob
0
 

Author Comment

by:JacBackus
ID: 36485060
BTW: Is there a way to see which service uses the system account to contact a certain address through the system process?

- Jac
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36485172
I don't know of a way to tell what services use the system account but the opposite is possible. If you look at the properties of a service in the services management console you can see what account it uses.
Process Monitor might help:
http://technet.microsoft.com/en-us/sysinternals/bb896645
0
 

Author Comment

by:JacBackus
ID: 36485227
Sysinternals Process Monitor and TCPview both show the address as belonging to the system process.
It would be nice if you somehow could see which connection belongs to which service.

- Jac
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36485338
you can run from a command line:
netstat -ano
on the far right of the connection is the PID (process ID) which you can find in the task manager. You may have to add the PID column under view. However most often it too returns system
0
 

Author Comment

by:JacBackus
ID: 36485352
Rob, thanks. But in this case it did also return system...
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36485382
The only way to do it for sure is to use a packet sniffer like wireshark and did through thousands of pages of logs and locate it. Using filters can save a lot of time.
http://www.wireshark.org/
0
 

Author Comment

by:JacBackus
ID: 36485416
RobWill, thanks for still  answering with the points already given. But I would have found the problem myself if I could have traced it to Kaspersky Administration Kit.
I found the traffic to the 90.1.0.0/24 subnet through wireshark and and filter for traffic with a destination outside the local subnet. But is there a way to relate traffic this way to a process?

- Jac
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36485451
I don't know. Wirshark usually requires combining a lot of assumptions based on protocols, ports used, and such, combined with personal experience and knowlege. Most often it will not tell you the actual application/process but knowing the types of traffic generated by a process you can usually narrow it down.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
NTFS Permissions 6 48
How to remove users in file list from specific AD group? 3 40
Why does my public IP keep changing? 6 64
Comcast Static IP Addresses 13 39
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question