Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 496
  • Last Modified:

Windows 2008 R2 servers are communicating with suspicious IP addresses

I got an alert from Spiceworks that two of my servers are communicating with suspicious ip addresses.  124.172.243.198 and 219.72.250.247, and 98.198.233.113.

The recommendation is to block these on the firewall.  We have a Sonicwall TZ190.   Should I block these and if so how.  Need detailed steps please.
0
J.R. Sitman
Asked:
J.R. Sitman
  • 6
  • 3
  • 2
  • +1
1 Solution
 
slinkygnPresidentCommented:
Looks like you have some malware on one of your machines.  You can block the ports, but that won't fix your problem.  Take the servers offline and run a couple of good on-demand AV scanners -- or, more time-consuming but the only solution guaranteed to fix the problem -- wipe the servers and reinstall.  (You'll need to have *both* offline, lest they re-infect each other when a clean one gets back on.)

What have you been using for antivirus/anti-malware?
0
 
ZabagaRCommented:
On the Sonicwall, go to Network and make a new address object for each of the three IPs.
When you make a new address object, you give it a NAME, ZONE (you'd pick WAN), TYPE (you'd pick HOST), and an IP.  Do this for all 3 addresses. For name you could pick Malware1, Malware2, Malware3 for example.

Then you stay on the network object page and pick add new group. Give the group a name like "Banned Addresses". When you add the new group, you pick which objects are members. Add the 3 new address objects you made in the previous directions. Now you should have a group named "Banned Addresses" containing the 3 host IPs you listed.

Then you go to Firewall rules. Pick ADD to make a new rule. Set DENY. From Zone ALL to Zone WAN. Service ANY. Source ANY. For DESTINATION pick "Banned Addresses". All else leave default. Click OK.
0
 
J.R. SitmanIT DirectorAuthor Commented:
We have Computer Associates Total defense and MalwareBytes (on one server)
@zabagaR and Santosh, I'll review your posts later today.
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
J.R. SitmanIT DirectorAuthor Commented:
I followed the post from zabagar and selected from Zone All and when I hit ok, go the attached error.  Then when I edit the rule the from zone is "VPN".  Is this ok?
sonic.png
0
 
ZabagaRCommented:
Yeah, I get the error too when I do it but it adds the rules anyway. If you view all firewall rules, you can see it put your "blocked addresses" rule in each zone...LAN, WAN, VPN, WLAN (if you have wireless).  Can you verify? View all rules, don't use the drop down boxes or matrix view, Use the All Rules view. In each zone you can see your rule blocking outbound to "blocked addresses".
0
 
J.R. SitmanIT DirectorAuthor Commented:
Yes I see it.  Is that ok?
0
 
ZabagaRCommented:
Yep!
0
 
Pramod UbheCommented:
Following info might help you, obtained from http://www.howismydns.com/lookup_whois.php

inetnum:        124.172.192.0 - 124.172.255.255
netname:        NGNNET
descr:          World Crossing Telecom(GuangZhou) Ltd.

inetnum:        219.72.250.0 - 219.72.251.255
netname:        ga-think
country:        CN
descr:          Beijing Guoan Tranthink Communication Technology Co.,Ltd


# Query terms are ambiguous.  The query is assumed to be:
#     "n 98.198.233.113"
0
 
J.R. SitmanIT DirectorAuthor Commented:
I had Computer Associates look at the servers and they could see that attempts were made to log in to the servers unsuccessfully.  No Malware was found.  I used the steps from post 39916113 and the IP's are now blocked.

Thanks to all for helping.
0
 
J.R. SitmanIT DirectorAuthor Commented:
Thanks
0
 
slinkygnPresidentCommented:
Just for future reference -- CA Total Defense is one of the worst-rated protection solutions out there.  And if Spiceworks is telling you the servers are "communicating" with those IP addresses, you have issues with outbound, not inbound, communications -- meaning *something* on those servers is talking to those IP addresses, and it probably has a longer list than you may know about (Chinese servers get flagged in general as good practice, but botnets can hit servers from all over).  It's good that they couldn't log back in, if CA found that, but that's no less of a security breach.

Perhaps for clarity to everyone you can copy/paste the exact error Spiceworks gave you, so it's clearer as to whether it was inbound or outbound access.
0
 
J.R. SitmanIT DirectorAuthor Commented:
I appreciate your opinion.  I am considering Eset when my contract expires.  I no longer have the details.  I cleared the Alerts.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

  • 6
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now