Solved

SBS2008 Huge daily downloads

Posted on 2012-03-23
14
369 Views
Last Modified: 2012-03-28
Since replacing a motherboard and re-loading SBS2008 I have just discovered that my daily downloads have increased from 400Mb's per day to 3Gb's and I can't find out how to find out what is causing this.
All I know is that it is the server.
I have tested the server for spyware and viruses = none.
I suspect Windows updates-could the server be trying to download an update that isnt getting installed? I am going to turn off Windows updates - reluctantly.
Thanks - John
0
Comment
Question by:JSlatem
  • 8
  • 6
14 Comments
 
LVL 30

Accepted Solution

by:
IanTh earned 500 total points
ID: 37756520
there have been so many windows updates recently from m$ due to the fact that rdp has been compromised and servers all over the place started to get hacked from chinese ip addresses

if you want to minimise your down loads use wsus
wsus can then do the windows update role for your domain
0
 

Author Comment

by:JSlatem
ID: 37756607
I have just spent a week resolving exactly the issue (rdp/chinese ip) you have just described!!!

I have just turned RDP off on the router (and will do this for all of my clients)

What puzzles me is that, with 200Mb per hour being downloaded (this is an average as the ISP tells me that the majority is happening between 7pm and 7am) I would have liked to use a prog to view my bandwidth and then see cause and effect but I can't find one?

I have also turned off Window Updates in Services (I only have 6 users on the network and only 2 of those connected to the domain) so WSUS isnt an advantage.

Thanks for your input but I am not sure that we have traked this one down yet.

Regards John
0
 
LVL 30

Expert Comment

by:IanTh
ID: 37756956
do you actually need rdp on the server as if you do

m$ has got a patch
see
http://technet.microsoft.com/en-us/security/bulletin/ms12-020
0
 

Author Comment

by:JSlatem
ID: 37760356
The issue seems to be that ever since installing the new board and re-installing SBS (Sun 4th Mar), something in the setup is downloading all the time and I need to find out what it is and stop it.
I know that it isn't anything to do with Exchange because the SMTP feed wasn't turned on until two days after.
This download (5Gb per day) started the moment that the server was restarted. Uploads are unaffected.
I turned of WSUS and Windows Update services - no change.
Does anybody know of a programme that will tell me what is being downloaded or the port that is being used?
At the moment the server is off but clearly this is not sustainable.
The only obvious route at the moment would be to re-load SBS!
Thanks John
0
 
LVL 30

Expert Comment

by:IanTh
ID: 37760462
no I suspect your problem could be the rdp compromise which means you get loads of chinese ip addresses coming through rdp

have you got ms12-020 installed
I think you need KB2621440

http://technet.microsoft.com/en-us/security/bulletin/ms12-020

replaceing he motherboard and it started are more than likely a coincidence
this problem started the 13 march
0
 

Author Comment

by:JSlatem
ID: 37762573
Hi Ian

Thanks for your help.

KB2621440 was installed on the 14th March but I am not sure what you mean by MS12-020. Could you please explain?

Regards John
0
 
LVL 30

Expert Comment

by:IanTh
ID: 37762583
ms12-020 is kb2621440

does event veiwer on the server give you any explanation as to the downloads I know m$ is doing a hell of a lot
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:JSlatem
ID: 37764870
Hi Ian

There no clues in EM or rather I cant seem to see anything obvious.

Slightly puzzled with the lack of ideas out there (I've also posted the request for help on the MS Technet forum with no response so far).

Today (Monday) I turned of Windows Update Services for two hours - no change then Exchange at 10am so we'll see if there is any change in the next 2 hours.

Beginning to think that the only solution is to reload SBS.

Regards John
0
 
LVL 30

Expert Comment

by:IanTh
ID: 37765031
if you dont get anything in event viewer dont you think thats puzzling

I think what your downloads are if not updates and not shown in event viewer are pointing to malicious activety
0
 

Author Comment

by:JSlatem
ID: 37765469
Dear Ian

I have now established that the cause of the problem is Exchange! Having turned it off the downloads stop. Resolving this is now the problem :-(

I have spoken with the ISP and there are on 50k's worth of mail waiting to download so it's not something large but what is it?

Any thoughts?

Regards John
0
 

Author Comment

by:JSlatem
ID: 37776051
Hi all

The solution or rather the culprit was Forefront Security (part of Exchange). I didn't see it as an option when I loaded SBS and don't need it as my mail is filtered by Webroot before sending to Exchange.

Having un-installed, my download levels have returned to their previous levels (if not slightly lower!).
0
 

Author Closing Comment

by:JSlatem
ID: 37776062
I appreciated Ian's input however my last answer was the solution.
0
 
LVL 30

Expert Comment

by:IanTh
ID: 37776502
so it was just email then ?
0
 

Author Comment

by:JSlatem
ID: 37776510
It seems that Forefront Security was downloading new spam definitions so it wasnt the email per see but something wrong with the spam engine.

I have some more info on the Windows MAP Forum which I will send to you later.

Regards John
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This very simple solution applies to a narrow cross-section of the "needs to close" variety. In this case, the full message in Event Viewer was in applog, Event ID 1000: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module …
The System Center Operations Manager 2012, known as SCOM, is a part of the Microsoft system center product that provides the user with infrastructure monitoring and application performance monitoring. SCOM monitors:   Windows or UNIX/LinuxNetwo…
The viewer will learn how to use the =DISCRINV command to create a discrete random variable, use this command to model a set of probabilities and outcomes in a Monte Carlo simulation, and learn how to find the standard deviation of a set of probabil…
The viewer will learn how to use a discrete random variable to simulate the return on an investment over a period of years, create a Monte Carlo simulation using the discrete random variable, and create a graph to represent the possible returns over…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now