Solved

Windows 2008 R2 servers are communicating with suspicious IP addresses

Posted on 2014-03-09
13
457 Views
Last Modified: 2014-03-11
I got an alert from Spiceworks that two of my servers are communicating with suspicious ip addresses.  124.172.243.198 and 219.72.250.247, and 98.198.233.113.

The recommendation is to block these on the firewall.  We have a Sonicwall TZ190.   Should I block these and if so how.  Need detailed steps please.
0
Comment
Question by:J.R. Sitman
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 6

Expert Comment

by:slinkygn
ID: 39916076
Looks like you have some malware on one of your machines.  You can block the ports, but that won't fix your problem.  Take the servers offline and run a couple of good on-demand AV scanners -- or, more time-consuming but the only solution guaranteed to fix the problem -- wipe the servers and reinstall.  (You'll need to have *both* offline, lest they re-infect each other when a clean one gets back on.)

What have you been using for antivirus/anti-malware?
0
 
LVL 15

Accepted Solution

by:
ZabagaR earned 500 total points
ID: 39916113
On the Sonicwall, go to Network and make a new address object for each of the three IPs.
When you make a new address object, you give it a NAME, ZONE (you'd pick WAN), TYPE (you'd pick HOST), and an IP.  Do this for all 3 addresses. For name you could pick Malware1, Malware2, Malware3 for example.

Then you stay on the network object page and pick add new group. Give the group a name like "Banned Addresses". When you add the new group, you pick which objects are members. Add the 3 new address objects you made in the previous directions. Now you should have a group named "Banned Addresses" containing the 3 host IPs you listed.

Then you go to Firewall rules. Pick ADD to make a new rule. Set DENY. From Zone ALL to Zone WAN. Service ANY. Source ANY. For DESTINATION pick "Banned Addresses". All else leave default. Click OK.
0
 

Author Comment

by:J.R. Sitman
ID: 39916122
We have Computer Associates Total defense and MalwareBytes (on one server)
@zabagaR and Santosh, I'll review your posts later today.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:J.R. Sitman
ID: 39916312
I followed the post from zabagar and selected from Zone All and when I hit ok, go the attached error.  Then when I edit the rule the from zone is "VPN".  Is this ok?
sonic.png
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39916352
Yeah, I get the error too when I do it but it adds the rules anyway. If you view all firewall rules, you can see it put your "blocked addresses" rule in each zone...LAN, WAN, VPN, WLAN (if you have wireless).  Can you verify? View all rules, don't use the drop down boxes or matrix view, Use the All Rules view. In each zone you can see your rule blocking outbound to "blocked addresses".
0
 

Author Comment

by:J.R. Sitman
ID: 39916361
Yes I see it.  Is that ok?
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39916600
Yep!
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39917098
Following info might help you, obtained from http://www.howismydns.com/lookup_whois.php

inetnum:        124.172.192.0 - 124.172.255.255
netname:        NGNNET
descr:          World Crossing Telecom(GuangZhou) Ltd.

inetnum:        219.72.250.0 - 219.72.251.255
netname:        ga-think
country:        CN
descr:          Beijing Guoan Tranthink Communication Technology Co.,Ltd


# Query terms are ambiguous.  The query is assumed to be:
#     "n 98.198.233.113"
0
 

Author Comment

by:J.R. Sitman
ID: 39917393
I had Computer Associates look at the servers and they could see that attempts were made to log in to the servers unsuccessfully.  No Malware was found.  I used the steps from post 39916113 and the IP's are now blocked.

Thanks to all for helping.
0
 

Author Closing Comment

by:J.R. Sitman
ID: 39917394
Thanks
0
 
LVL 6

Expert Comment

by:slinkygn
ID: 39921532
Just for future reference -- CA Total Defense is one of the worst-rated protection solutions out there.  And if Spiceworks is telling you the servers are "communicating" with those IP addresses, you have issues with outbound, not inbound, communications -- meaning *something* on those servers is talking to those IP addresses, and it probably has a longer list than you may know about (Chinese servers get flagged in general as good practice, but botnets can hit servers from all over).  It's good that they couldn't log back in, if CA found that, but that's no less of a security breach.

Perhaps for clarity to everyone you can copy/paste the exact error Spiceworks gave you, so it's clearer as to whether it was inbound or outbound access.
0
 

Author Comment

by:J.R. Sitman
ID: 39921614
I appreciate your opinion.  I am considering Eset when my contract expires.  I no longer have the details.  I cleared the Alerts.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question