• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 547
  • Last Modified:

Firewall blocking a request from our vcentre to external site

I have a watchguard firewall which has served well so far.  After close monitoring it appears that one of our Vcentre servers is sending requests to an external website.  This should not be happening as far as i am aware.  I have copied the firewall log below but need to know how i find out from the actual vcentre where this traffic request is coming from and how to stop it.

2011-12-16 10:19:37 Deny 'ip of vcentre1' 218.213.229.70 http/tcp 60799 80 vlan1 0-External blocked sites 52 127 (Internal Policy)  proc_id="firewall" rc="101" tcp_info="offset 8 S 3023457499 win 32"       Traffic

I have blocked 218.213.229.70 as it is unknown to me, but would like to stop the server from sending the request altogether.

I am currently using Mcafee and all DAT's are up to date on this vcenter.
0
IT_User
Asked:
IT_User
  • 5
  • 3
1 Solution
 
PenguinNCommented:
Oke if you have any relation to the company shown in the link http://revip.info/ipinfo/218.213.229.70 you know what you are looking for probable.

If not:

Logon to vcenter1 and open a command prompt.
type: netstat -aon
this wil list all ports and their process identifiers (PID).
Net see if you can spot 218.213.229.70 and what PID is trying to connect.

Now open taskmanager en select the collums you want to see, select PID and track down the PID you found in netstat.

If you have a match you can troubleshoot the program or application trying to setup this connection.
0
 
IT_UserAuthor Commented:
As far as I am aware we have no relation to the company whatsoever.  Our Vcentres were installed by an external company but having gone through all of the documentation they left for us i can find no trace of either the company name or ip.  I have found the ip via taskmanager as instructed above and this is my finding, i now have no idea where to go from here, can you help?

The item concerned is highlighted.  
untitled.bmp
0
 
IT_UserAuthor Commented:
After further investigation, this is in the SYSWOW folder?
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 
PenguinNCommented:
You can also select filepath in taskmanager if you use windows 2008 to see where this file is located. If you run a 64bit machine and by the looks of it you do. Try right click the svchost32 and select go to services to see what service is is related to.
0
 
IT_UserAuthor Commented:
The service says it's related to Nwsapagent which appears to be genuine MS Font Cache.  If this is correct, why is it trying to reach the destination 218.213.229.70  via PID 1496?  Sorry but the more i look at it the more confused i become!!

The Nwsapagent service is started on this vcentre.
0
 
PenguinNCommented:
You could disable the service for now and see if everything stays functional. When it is disabled you can try to scan the server with AV tools etc. Also run Rootkit Revealer.
0
 
IT_UserAuthor Commented:
Found solution to this to be a virus.  Have conversed with McAfee and had custom extra.dat.  Virus has now been removed, thank you for your help.
0
 
IT_UserAuthor Commented:
Excellent help in diagnosing issue.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now