Solved

Server 2008 R2 spawning 100's of DNS.exe and java.exe wireshark

Posted on 2014-04-23
9
500 Views
Last Modified: 2014-05-25
Good mmorning,

A client of mine has a server, win 2008 r2, 64x, 16gb ram, etc. Starting a couple days ago the client called and said the server is terribly slow.
What I have done:
1. ran Vipre business scan
2. ran malware bytes (free)
3. ran Spyhunter4 (paid version)
4. ran malware bytes root kit finder (beta)
5. cmd prompt ran "netstat -anob"
   - netstat -anob reported back hundreds if not thousands of the DNS.exe running
   - shut down dns services as the server is not providing DNS services
   - restarted server, still slow but no signs of all the dns.exe's running
6. ran wireshark overnite and am now downloading to my PC (about an hour left to finish download
7. this morning logged into server to find hundreds if not thousands of Java.exe running
8. have removed all snmp services and am waiting to restart server after the wireshark file download is done.

Simply put I can't find any malware, viruses, or root kits, yet this terribly slow behavior continues.

I have downloaded sysinternals and am looking at the process explorer and still no signs of what is causing this.

Also, CPU usage is low, DIsk usage is low, network usage maybe a bit high, but nothing is out of the ordinary.

I do not have a lot of experience using wireshark and could use some help with that.

If anyone has experienced this or knows a fix, please help !! I have never had a server do this to me in over 20 years and I am at a loss. Maybe the "NSA" is hacking in, LOL.

Thanks in advance
Matt
0
Comment
Question by:newmanme
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40017734
When you ran netstat, did you see if the processes were waiting or were connected? And if they were connected, any IP-address?

I can assist with the Wireshark log, but it might be rather big? Maybe post some screenshots or parts from it rather than upload the whole thing?
0
 
LVL 1

Author Comment

by:newmanme
ID: 40017836
[dns.exe]
  UDP    0.0.0.0:51971          *:*                                    2292

there were hundreds of these listed yesterday and then Java today (again hundreds to thousands of these entries)

[javaw.exe]
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       2312
[java.exe]
  TCP    0.0.0.0:49260          0.0.0.0:0              LISTENING       3144
 [java.exe]
  TCP    0.0.0.0:51709          0.0.0.0:0              LISTENING       2292
Netstat--anob-04212014.txt
0
 
LVL 1

Author Comment

by:newmanme
ID: 40017839
Can I ftp the wireshark file to you?  It is 153MB.

Matt
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40017872
You can use something like this https://www.wetransfer.com/  to transfer the wireshark file ...

[edit] removed the sysinternals comment, saw you already doing this...


If nothing is connecting it might be something else ... Strange though... Haven't seen it before...

Are you sure DNS is not being used/running on this server?
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40017906
Why is there java running on the server anyway?
0
 
LVL 1

Author Comment

by:newmanme
ID: 40018280
java was running because the management software for the raid installed it. I removed Java and disable the java.exe file in the management software directory.

Matt
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40018289
Ah yes ... That would do it, stupid management software needing java...

So any lingering processes (dns, java) ??

I don't think it was something nasty, since you've tested about everything it would be something very new or zero day maybe ... Or a very stubborn rootkit maybe
0
 
LVL 1

Accepted Solution

by:
newmanme earned 0 total points
ID: 40078848
Was never able to resolve. Had to rebuild server.
0
 
LVL 1

Author Closing Comment

by:newmanme
ID: 40089267
all we could come up with
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial explains how to use the VisualVM tool for the Java platform application. This video goes into detail on the Threads, Sampler, and Profiler tabs.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question