?
Solved

Server 2008 R2 spawning 100's of DNS.exe and java.exe wireshark

Posted on 2014-04-23
9
Medium Priority
?
508 Views
Last Modified: 2014-05-25
Good mmorning,

A client of mine has a server, win 2008 r2, 64x, 16gb ram, etc. Starting a couple days ago the client called and said the server is terribly slow.
What I have done:
1. ran Vipre business scan
2. ran malware bytes (free)
3. ran Spyhunter4 (paid version)
4. ran malware bytes root kit finder (beta)
5. cmd prompt ran "netstat -anob"
   - netstat -anob reported back hundreds if not thousands of the DNS.exe running
   - shut down dns services as the server is not providing DNS services
   - restarted server, still slow but no signs of all the dns.exe's running
6. ran wireshark overnite and am now downloading to my PC (about an hour left to finish download
7. this morning logged into server to find hundreds if not thousands of Java.exe running
8. have removed all snmp services and am waiting to restart server after the wireshark file download is done.

Simply put I can't find any malware, viruses, or root kits, yet this terribly slow behavior continues.

I have downloaded sysinternals and am looking at the process explorer and still no signs of what is causing this.

Also, CPU usage is low, DIsk usage is low, network usage maybe a bit high, but nothing is out of the ordinary.

I do not have a lot of experience using wireshark and could use some help with that.

If anyone has experienced this or knows a fix, please help !! I have never had a server do this to me in over 20 years and I am at a loss. Maybe the "NSA" is hacking in, LOL.

Thanks in advance
Matt
0
Comment
Question by:newmanme
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40017734
When you ran netstat, did you see if the processes were waiting or were connected? And if they were connected, any IP-address?

I can assist with the Wireshark log, but it might be rather big? Maybe post some screenshots or parts from it rather than upload the whole thing?
0
 
LVL 1

Author Comment

by:newmanme
ID: 40017836
[dns.exe]
  UDP    0.0.0.0:51971          *:*                                    2292

there were hundreds of these listed yesterday and then Java today (again hundreds to thousands of these entries)

[javaw.exe]
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       2312
[java.exe]
  TCP    0.0.0.0:49260          0.0.0.0:0              LISTENING       3144
 [java.exe]
  TCP    0.0.0.0:51709          0.0.0.0:0              LISTENING       2292
Netstat--anob-04212014.txt
0
 
LVL 1

Author Comment

by:newmanme
ID: 40017839
Can I ftp the wireshark file to you?  It is 153MB.

Matt
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40017872
You can use something like this https://www.wetransfer.com/  to transfer the wireshark file ...

[edit] removed the sysinternals comment, saw you already doing this...


If nothing is connecting it might be something else ... Strange though... Haven't seen it before...

Are you sure DNS is not being used/running on this server?
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40017906
Why is there java running on the server anyway?
0
 
LVL 1

Author Comment

by:newmanme
ID: 40018280
java was running because the management software for the raid installed it. I removed Java and disable the java.exe file in the management software directory.

Matt
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40018289
Ah yes ... That would do it, stupid management software needing java...

So any lingering processes (dns, java) ??

I don't think it was something nasty, since you've tested about everything it would be something very new or zero day maybe ... Or a very stubborn rootkit maybe
0
 
LVL 1

Accepted Solution

by:
newmanme earned 0 total points
ID: 40078848
Was never able to resolve. Had to rebuild server.
0
 
LVL 1

Author Closing Comment

by:newmanme
ID: 40089267
all we could come up with
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial covers a step-by-step guide to install VisualVM launcher in eclipse.
Suggested Courses
Course of the Month14 days, 21 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question