Solved

Windows SBS 2008 scans old subnet

Posted on 2011-09-05
12
495 Views
Last Modified: 2012-06-27
We have a Windows SBS 2008 which replaced a Windows 2000 Standard server. Together with the migration we changed the internal subnet, this because someone in the past had chosen 90.1.0.0/24 as the internal subnet. During a short time both the old and the new subnet (192.168.111.0/24) where configured on the server and in use. After the migration, we removed the 19.1.0.0/24 subnet from the server and all PCs.
But at the moment the SBS server does a scan of the 90.1.0.0/24 subnet at regular intervals, e.g. one of theses starts at 4:00pm everyday. It checks every address in the range through pings, it sends snmp, netbios (port 139) and smb over tcp (port 445) requests. The process from which this originates is the system process. This matters because the subnet it scans is a public subnet.
I have checked for traces of the 90.1.0.0/24 address in the registry and removed everything, but the problem stays.
What causes this?

- Jac
0
Comment
Question by:JacBackus
  • 6
  • 5
12 Comments
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
Comment Utility
Interesting that it runs at precisely 4PM.  What is in Control Panel - Scheduled Tasks that might trigger this, and what, if anything, is called by the scheduled task?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
Comment Utility
This sounds like a 3rd party app doing the scan, not a windows process. Anything installed that does IP or device monitoring?
0
 

Author Comment

by:JacBackus
Comment Utility
@RobWill: YES. Kaspersky Administration Kit. It did a network scan of the 90.1.0.0/24 net and I did not remove this range. Thanks! I never checked the Administration Kit because the scan originated from the system process.

- Jac
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Good to hear. Kaspersy would be run using the system account so it would show up as a system process.
Thanks Jac
Cheers!
--Rob
0
 

Author Comment

by:JacBackus
Comment Utility
BTW: Is there a way to see which service uses the system account to contact a certain address through the system process?

- Jac
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I don't know of a way to tell what services use the system account but the opposite is possible. If you look at the properties of a service in the services management console you can see what account it uses.
Process Monitor might help:
http://technet.microsoft.com/en-us/sysinternals/bb896645
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:JacBackus
Comment Utility
Sysinternals Process Monitor and TCPview both show the address as belonging to the system process.
It would be nice if you somehow could see which connection belongs to which service.

- Jac
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
you can run from a command line:
netstat -ano
on the far right of the connection is the PID (process ID) which you can find in the task manager. You may have to add the PID column under view. However most often it too returns system
0
 

Author Comment

by:JacBackus
Comment Utility
Rob, thanks. But in this case it did also return system...
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
The only way to do it for sure is to use a packet sniffer like wireshark and did through thousands of pages of logs and locate it. Using filters can save a lot of time.
http://www.wireshark.org/
0
 

Author Comment

by:JacBackus
Comment Utility
RobWill, thanks for still  answering with the points already given. But I would have found the problem myself if I could have traced it to Kaspersky Administration Kit.
I found the traffic to the 90.1.0.0/24 subnet through wireshark and and filter for traffic with a destination outside the local subnet. But is there a way to relate traffic this way to a process?

- Jac
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I don't know. Wirshark usually requires combining a lot of assumptions based on protocols, ports used, and such, combined with personal experience and knowlege. Most often it will not tell you the actual application/process but knowing the types of traffic generated by a process you can usually narrow it down.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now