Firewall blocking a request from our vcentre to external site

I have a watchguard firewall which has served well so far.  After close monitoring it appears that one of our Vcentre servers is sending requests to an external website.  This should not be happening as far as i am aware.  I have copied the firewall log below but need to know how i find out from the actual vcentre where this traffic request is coming from and how to stop it.

2011-12-16 10:19:37 Deny 'ip of vcentre1' 218.213.229.70 http/tcp 60799 80 vlan1 0-External blocked sites 52 127 (Internal Policy)  proc_id="firewall" rc="101" tcp_info="offset 8 S 3023457499 win 32"       Traffic

I have blocked 218.213.229.70 as it is unknown to me, but would like to stop the server from sending the request altogether.

I am currently using Mcafee and all DAT's are up to date on this vcenter.
IT_UserAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PenguinNCommented:
Oke if you have any relation to the company shown in the link http://revip.info/ipinfo/218.213.229.70 you know what you are looking for probable.

If not:

Logon to vcenter1 and open a command prompt.
type: netstat -aon
this wil list all ports and their process identifiers (PID).
Net see if you can spot 218.213.229.70 and what PID is trying to connect.

Now open taskmanager en select the collums you want to see, select PID and track down the PID you found in netstat.

If you have a match you can troubleshoot the program or application trying to setup this connection.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT_UserAuthor Commented:
As far as I am aware we have no relation to the company whatsoever.  Our Vcentres were installed by an external company but having gone through all of the documentation they left for us i can find no trace of either the company name or ip.  I have found the ip via taskmanager as instructed above and this is my finding, i now have no idea where to go from here, can you help?

The item concerned is highlighted.  
untitled.bmp
0
IT_UserAuthor Commented:
After further investigation, this is in the SYSWOW folder?
0
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

PenguinNCommented:
You can also select filepath in taskmanager if you use windows 2008 to see where this file is located. If you run a 64bit machine and by the looks of it you do. Try right click the svchost32 and select go to services to see what service is is related to.
0
IT_UserAuthor Commented:
The service says it's related to Nwsapagent which appears to be genuine MS Font Cache.  If this is correct, why is it trying to reach the destination 218.213.229.70  via PID 1496?  Sorry but the more i look at it the more confused i become!!

The Nwsapagent service is started on this vcentre.
0
PenguinNCommented:
You could disable the service for now and see if everything stays functional. When it is disabled you can try to scan the server with AV tools etc. Also run Rootkit Revealer.
0
IT_UserAuthor Commented:
Found solution to this to be a virus.  Have conversed with McAfee and had custom extra.dat.  Virus has now been removed, thank you for your help.
0
IT_UserAuthor Commented:
Excellent help in diagnosing issue.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.