Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Windows 2008 R2 servers are communicating with suspicious IP addresses

Posted on 2014-03-09
13
Medium Priority
?
479 Views
Last Modified: 2014-03-11
I got an alert from Spiceworks that two of my servers are communicating with suspicious ip addresses.  124.172.243.198 and 219.72.250.247, and 98.198.233.113.

The recommendation is to block these on the firewall.  We have a Sonicwall TZ190.   Should I block these and if so how.  Need detailed steps please.
0
Comment
Question by:J.R. Sitman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 6

Expert Comment

by:slinkygn
ID: 39916076
Looks like you have some malware on one of your machines.  You can block the ports, but that won't fix your problem.  Take the servers offline and run a couple of good on-demand AV scanners -- or, more time-consuming but the only solution guaranteed to fix the problem -- wipe the servers and reinstall.  (You'll need to have *both* offline, lest they re-infect each other when a clean one gets back on.)

What have you been using for antivirus/anti-malware?
0
 
LVL 15

Accepted Solution

by:
ZabagaR earned 2000 total points
ID: 39916113
On the Sonicwall, go to Network and make a new address object for each of the three IPs.
When you make a new address object, you give it a NAME, ZONE (you'd pick WAN), TYPE (you'd pick HOST), and an IP.  Do this for all 3 addresses. For name you could pick Malware1, Malware2, Malware3 for example.

Then you stay on the network object page and pick add new group. Give the group a name like "Banned Addresses". When you add the new group, you pick which objects are members. Add the 3 new address objects you made in the previous directions. Now you should have a group named "Banned Addresses" containing the 3 host IPs you listed.

Then you go to Firewall rules. Pick ADD to make a new rule. Set DENY. From Zone ALL to Zone WAN. Service ANY. Source ANY. For DESTINATION pick "Banned Addresses". All else leave default. Click OK.
0
 

Author Comment

by:J.R. Sitman
ID: 39916122
We have Computer Associates Total defense and MalwareBytes (on one server)
@zabagaR and Santosh, I'll review your posts later today.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:J.R. Sitman
ID: 39916312
I followed the post from zabagar and selected from Zone All and when I hit ok, go the attached error.  Then when I edit the rule the from zone is "VPN".  Is this ok?
sonic.png
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39916352
Yeah, I get the error too when I do it but it adds the rules anyway. If you view all firewall rules, you can see it put your "blocked addresses" rule in each zone...LAN, WAN, VPN, WLAN (if you have wireless).  Can you verify? View all rules, don't use the drop down boxes or matrix view, Use the All Rules view. In each zone you can see your rule blocking outbound to "blocked addresses".
0
 

Author Comment

by:J.R. Sitman
ID: 39916361
Yes I see it.  Is that ok?
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39916600
Yep!
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39917098
Following info might help you, obtained from http://www.howismydns.com/lookup_whois.php

inetnum:        124.172.192.0 - 124.172.255.255
netname:        NGNNET
descr:          World Crossing Telecom(GuangZhou) Ltd.

inetnum:        219.72.250.0 - 219.72.251.255
netname:        ga-think
country:        CN
descr:          Beijing Guoan Tranthink Communication Technology Co.,Ltd


# Query terms are ambiguous.  The query is assumed to be:
#     "n 98.198.233.113"
0
 

Author Comment

by:J.R. Sitman
ID: 39917393
I had Computer Associates look at the servers and they could see that attempts were made to log in to the servers unsuccessfully.  No Malware was found.  I used the steps from post 39916113 and the IP's are now blocked.

Thanks to all for helping.
0
 

Author Closing Comment

by:J.R. Sitman
ID: 39917394
Thanks
0
 
LVL 6

Expert Comment

by:slinkygn
ID: 39921532
Just for future reference -- CA Total Defense is one of the worst-rated protection solutions out there.  And if Spiceworks is telling you the servers are "communicating" with those IP addresses, you have issues with outbound, not inbound, communications -- meaning *something* on those servers is talking to those IP addresses, and it probably has a longer list than you may know about (Chinese servers get flagged in general as good practice, but botnets can hit servers from all over).  It's good that they couldn't log back in, if CA found that, but that's no less of a security breach.

Perhaps for clarity to everyone you can copy/paste the exact error Spiceworks gave you, so it's clearer as to whether it was inbound or outbound access.
0
 

Author Comment

by:J.R. Sitman
ID: 39921614
I appreciate your opinion.  I am considering Eset when my contract expires.  I no longer have the details.  I cleared the Alerts.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question