Solved

Windows 2008 R2 servers are communicating with suspicious IP addresses

Posted on 2014-03-09
13
473 Views
Last Modified: 2014-03-11
I got an alert from Spiceworks that two of my servers are communicating with suspicious ip addresses.  124.172.243.198 and 219.72.250.247, and 98.198.233.113.

The recommendation is to block these on the firewall.  We have a Sonicwall TZ190.   Should I block these and if so how.  Need detailed steps please.
0
Comment
Question by:J.R. Sitman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 6

Expert Comment

by:slinkygn
ID: 39916076
Looks like you have some malware on one of your machines.  You can block the ports, but that won't fix your problem.  Take the servers offline and run a couple of good on-demand AV scanners -- or, more time-consuming but the only solution guaranteed to fix the problem -- wipe the servers and reinstall.  (You'll need to have *both* offline, lest they re-infect each other when a clean one gets back on.)

What have you been using for antivirus/anti-malware?
0
 
LVL 15

Accepted Solution

by:
ZabagaR earned 500 total points
ID: 39916113
On the Sonicwall, go to Network and make a new address object for each of the three IPs.
When you make a new address object, you give it a NAME, ZONE (you'd pick WAN), TYPE (you'd pick HOST), and an IP.  Do this for all 3 addresses. For name you could pick Malware1, Malware2, Malware3 for example.

Then you stay on the network object page and pick add new group. Give the group a name like "Banned Addresses". When you add the new group, you pick which objects are members. Add the 3 new address objects you made in the previous directions. Now you should have a group named "Banned Addresses" containing the 3 host IPs you listed.

Then you go to Firewall rules. Pick ADD to make a new rule. Set DENY. From Zone ALL to Zone WAN. Service ANY. Source ANY. For DESTINATION pick "Banned Addresses". All else leave default. Click OK.
0
 

Author Comment

by:J.R. Sitman
ID: 39916122
We have Computer Associates Total defense and MalwareBytes (on one server)
@zabagaR and Santosh, I'll review your posts later today.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:J.R. Sitman
ID: 39916312
I followed the post from zabagar and selected from Zone All and when I hit ok, go the attached error.  Then when I edit the rule the from zone is "VPN".  Is this ok?
sonic.png
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39916352
Yeah, I get the error too when I do it but it adds the rules anyway. If you view all firewall rules, you can see it put your "blocked addresses" rule in each zone...LAN, WAN, VPN, WLAN (if you have wireless).  Can you verify? View all rules, don't use the drop down boxes or matrix view, Use the All Rules view. In each zone you can see your rule blocking outbound to "blocked addresses".
0
 

Author Comment

by:J.R. Sitman
ID: 39916361
Yes I see it.  Is that ok?
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39916600
Yep!
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39917098
Following info might help you, obtained from http://www.howismydns.com/lookup_whois.php

inetnum:        124.172.192.0 - 124.172.255.255
netname:        NGNNET
descr:          World Crossing Telecom(GuangZhou) Ltd.

inetnum:        219.72.250.0 - 219.72.251.255
netname:        ga-think
country:        CN
descr:          Beijing Guoan Tranthink Communication Technology Co.,Ltd


# Query terms are ambiguous.  The query is assumed to be:
#     "n 98.198.233.113"
0
 

Author Comment

by:J.R. Sitman
ID: 39917393
I had Computer Associates look at the servers and they could see that attempts were made to log in to the servers unsuccessfully.  No Malware was found.  I used the steps from post 39916113 and the IP's are now blocked.

Thanks to all for helping.
0
 

Author Closing Comment

by:J.R. Sitman
ID: 39917394
Thanks
0
 
LVL 6

Expert Comment

by:slinkygn
ID: 39921532
Just for future reference -- CA Total Defense is one of the worst-rated protection solutions out there.  And if Spiceworks is telling you the servers are "communicating" with those IP addresses, you have issues with outbound, not inbound, communications -- meaning *something* on those servers is talking to those IP addresses, and it probably has a longer list than you may know about (Chinese servers get flagged in general as good practice, but botnets can hit servers from all over).  It's good that they couldn't log back in, if CA found that, but that's no less of a security breach.

Perhaps for clarity to everyone you can copy/paste the exact error Spiceworks gave you, so it's clearer as to whether it was inbound or outbound access.
0
 

Author Comment

by:J.R. Sitman
ID: 39921614
I appreciate your opinion.  I am considering Eset when my contract expires.  I no longer have the details.  I cleared the Alerts.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question