Solved

Windows 2008 R2 servers are communicating with suspicious IP addresses

Posted on 2014-03-09
13
448 Views
Last Modified: 2014-03-11
I got an alert from Spiceworks that two of my servers are communicating with suspicious ip addresses.  124.172.243.198 and 219.72.250.247, and 98.198.233.113.

The recommendation is to block these on the firewall.  We have a Sonicwall TZ190.   Should I block these and if so how.  Need detailed steps please.
0
Comment
Question by:jrsitman
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 6

Expert Comment

by:slinkygn
Comment Utility
Looks like you have some malware on one of your machines.  You can block the ports, but that won't fix your problem.  Take the servers offline and run a couple of good on-demand AV scanners -- or, more time-consuming but the only solution guaranteed to fix the problem -- wipe the servers and reinstall.  (You'll need to have *both* offline, lest they re-infect each other when a clean one gets back on.)

What have you been using for antivirus/anti-malware?
0
 
LVL 15

Accepted Solution

by:
ZabagaR earned 500 total points
Comment Utility
On the Sonicwall, go to Network and make a new address object for each of the three IPs.
When you make a new address object, you give it a NAME, ZONE (you'd pick WAN), TYPE (you'd pick HOST), and an IP.  Do this for all 3 addresses. For name you could pick Malware1, Malware2, Malware3 for example.

Then you stay on the network object page and pick add new group. Give the group a name like "Banned Addresses". When you add the new group, you pick which objects are members. Add the 3 new address objects you made in the previous directions. Now you should have a group named "Banned Addresses" containing the 3 host IPs you listed.

Then you go to Firewall rules. Pick ADD to make a new rule. Set DENY. From Zone ALL to Zone WAN. Service ANY. Source ANY. For DESTINATION pick "Banned Addresses". All else leave default. Click OK.
0
 

Author Comment

by:jrsitman
Comment Utility
We have Computer Associates Total defense and MalwareBytes (on one server)
@zabagaR and Santosh, I'll review your posts later today.
0
 

Author Comment

by:jrsitman
Comment Utility
I followed the post from zabagar and selected from Zone All and when I hit ok, go the attached error.  Then when I edit the rule the from zone is "VPN".  Is this ok?
sonic.png
0
 
LVL 15

Expert Comment

by:ZabagaR
Comment Utility
Yeah, I get the error too when I do it but it adds the rules anyway. If you view all firewall rules, you can see it put your "blocked addresses" rule in each zone...LAN, WAN, VPN, WLAN (if you have wireless).  Can you verify? View all rules, don't use the drop down boxes or matrix view, Use the All Rules view. In each zone you can see your rule blocking outbound to "blocked addresses".
0
 

Author Comment

by:jrsitman
Comment Utility
Yes I see it.  Is that ok?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 15

Expert Comment

by:ZabagaR
Comment Utility
Yep!
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
Comment Utility
Following info might help you, obtained from http://www.howismydns.com/lookup_whois.php

inetnum:        124.172.192.0 - 124.172.255.255
netname:        NGNNET
descr:          World Crossing Telecom(GuangZhou) Ltd.

inetnum:        219.72.250.0 - 219.72.251.255
netname:        ga-think
country:        CN
descr:          Beijing Guoan Tranthink Communication Technology Co.,Ltd


# Query terms are ambiguous.  The query is assumed to be:
#     "n 98.198.233.113"
0
 

Author Comment

by:jrsitman
Comment Utility
I had Computer Associates look at the servers and they could see that attempts were made to log in to the servers unsuccessfully.  No Malware was found.  I used the steps from post 39916113 and the IP's are now blocked.

Thanks to all for helping.
0
 

Author Closing Comment

by:jrsitman
Comment Utility
Thanks
0
 
LVL 6

Expert Comment

by:slinkygn
Comment Utility
Just for future reference -- CA Total Defense is one of the worst-rated protection solutions out there.  And if Spiceworks is telling you the servers are "communicating" with those IP addresses, you have issues with outbound, not inbound, communications -- meaning *something* on those servers is talking to those IP addresses, and it probably has a longer list than you may know about (Chinese servers get flagged in general as good practice, but botnets can hit servers from all over).  It's good that they couldn't log back in, if CA found that, but that's no less of a security breach.

Perhaps for clarity to everyone you can copy/paste the exact error Spiceworks gave you, so it's clearer as to whether it was inbound or outbound access.
0
 

Author Comment

by:jrsitman
Comment Utility
I appreciate your opinion.  I am considering Eset when my contract expires.  I no longer have the details.  I cleared the Alerts.
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now