Solved

Windows SBS 2008 scans old subnet

Posted on 2011-09-05
12
503 Views
Last Modified: 2012-06-27
We have a Windows SBS 2008 which replaced a Windows 2000 Standard server. Together with the migration we changed the internal subnet, this because someone in the past had chosen 90.1.0.0/24 as the internal subnet. During a short time both the old and the new subnet (192.168.111.0/24) where configured on the server and in use. After the migration, we removed the 19.1.0.0/24 subnet from the server and all PCs.
But at the moment the SBS server does a scan of the 90.1.0.0/24 subnet at regular intervals, e.g. one of theses starts at 4:00pm everyday. It checks every address in the range through pings, it sends snmp, netbios (port 139) and smb over tcp (port 445) requests. The process from which this originates is the system process. This matters because the subnet it scans is a public subnet.
I have checked for traces of the 90.1.0.0/24 address in the registry and removed everything, but the problem stays.
What causes this?

- Jac
0
Comment
Question by:JacBackus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 22

Expert Comment

by:Larry Struckmeyer MVP
ID: 36484714
Interesting that it runs at precisely 4PM.  What is in Control Panel - Scheduled Tasks that might trigger this, and what, if anything, is called by the scheduled task?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 36484749
This sounds like a 3rd party app doing the scan, not a windows process. Anything installed that does IP or device monitoring?
0
 

Author Comment

by:JacBackus
ID: 36484836
@RobWill: YES. Kaspersky Administration Kit. It did a network scan of the 90.1.0.0/24 net and I did not remove this range. Thanks! I never checked the Administration Kit because the scan originated from the system process.

- Jac
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 36484882
Good to hear. Kaspersy would be run using the system account so it would show up as a system process.
Thanks Jac
Cheers!
--Rob
0
 

Author Comment

by:JacBackus
ID: 36485060
BTW: Is there a way to see which service uses the system account to contact a certain address through the system process?

- Jac
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36485172
I don't know of a way to tell what services use the system account but the opposite is possible. If you look at the properties of a service in the services management console you can see what account it uses.
Process Monitor might help:
http://technet.microsoft.com/en-us/sysinternals/bb896645
0
 

Author Comment

by:JacBackus
ID: 36485227
Sysinternals Process Monitor and TCPview both show the address as belonging to the system process.
It would be nice if you somehow could see which connection belongs to which service.

- Jac
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36485338
you can run from a command line:
netstat -ano
on the far right of the connection is the PID (process ID) which you can find in the task manager. You may have to add the PID column under view. However most often it too returns system
0
 

Author Comment

by:JacBackus
ID: 36485352
Rob, thanks. But in this case it did also return system...
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36485382
The only way to do it for sure is to use a packet sniffer like wireshark and did through thousands of pages of logs and locate it. Using filters can save a lot of time.
http://www.wireshark.org/
0
 

Author Comment

by:JacBackus
ID: 36485416
RobWill, thanks for still  answering with the points already given. But I would have found the problem myself if I could have traced it to Kaspersky Administration Kit.
I found the traffic to the 90.1.0.0/24 subnet through wireshark and and filter for traffic with a destination outside the local subnet. But is there a way to relate traffic this way to a process?

- Jac
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36485451
I don't know. Wirshark usually requires combining a lot of assumptions based on protocols, ports used, and such, combined with personal experience and knowlege. Most often it will not tell you the actual application/process but knowing the types of traffic generated by a process you can usually narrow it down.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
UniFi MAC address filtering 2008 R2 13 104
Blocking Microsoft Edge From Running? 14 59
Moving on from sbs 2008... 36 82
SBS 2011 server backup failing. 27 43
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question