Server 2008 R2 spawning 100's of DNS.exe and java.exe wireshark

Good mmorning,

A client of mine has a server, win 2008 r2, 64x, 16gb ram, etc. Starting a couple days ago the client called and said the server is terribly slow.
What I have done:
1. ran Vipre business scan
2. ran malware bytes (free)
3. ran Spyhunter4 (paid version)
4. ran malware bytes root kit finder (beta)
5. cmd prompt ran "netstat -anob"
   - netstat -anob reported back hundreds if not thousands of the DNS.exe running
   - shut down dns services as the server is not providing DNS services
   - restarted server, still slow but no signs of all the dns.exe's running
6. ran wireshark overnite and am now downloading to my PC (about an hour left to finish download
7. this morning logged into server to find hundreds if not thousands of Java.exe running
8. have removed all snmp services and am waiting to restart server after the wireshark file download is done.

Simply put I can't find any malware, viruses, or root kits, yet this terribly slow behavior continues.

I have downloaded sysinternals and am looking at the process explorer and still no signs of what is causing this.

Also, CPU usage is low, DIsk usage is low, network usage maybe a bit high, but nothing is out of the ordinary.

I do not have a lot of experience using wireshark and could use some help with that.

If anyone has experienced this or knows a fix, please help !! I have never had a server do this to me in over 20 years and I am at a loss. Maybe the "NSA" is hacking in, LOL.

Thanks in advance
Matt
LVL 1
newmanmeNetwork Administrator\EngineerAsked:
Who is Participating?
 
newmanmeNetwork Administrator\EngineerAuthor Commented:
Was never able to resolve. Had to rebuild server.
0
 
Zephyr ICTCloud ArchitectCommented:
When you ran netstat, did you see if the processes were waiting or were connected? And if they were connected, any IP-address?

I can assist with the Wireshark log, but it might be rather big? Maybe post some screenshots or parts from it rather than upload the whole thing?
0
 
newmanmeNetwork Administrator\EngineerAuthor Commented:
[dns.exe]
  UDP    0.0.0.0:51971          *:*                                    2292

there were hundreds of these listed yesterday and then Java today (again hundreds to thousands of these entries)

[javaw.exe]
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       2312
[java.exe]
  TCP    0.0.0.0:49260          0.0.0.0:0              LISTENING       3144
 [java.exe]
  TCP    0.0.0.0:51709          0.0.0.0:0              LISTENING       2292
Netstat--anob-04212014.txt
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
newmanmeNetwork Administrator\EngineerAuthor Commented:
Can I ftp the wireshark file to you?  It is 153MB.

Matt
0
 
Zephyr ICTCloud ArchitectCommented:
You can use something like this https://www.wetransfer.com/  to transfer the wireshark file ...

[edit] removed the sysinternals comment, saw you already doing this...


If nothing is connecting it might be something else ... Strange though... Haven't seen it before...

Are you sure DNS is not being used/running on this server?
0
 
Zephyr ICTCloud ArchitectCommented:
Why is there java running on the server anyway?
0
 
newmanmeNetwork Administrator\EngineerAuthor Commented:
java was running because the management software for the raid installed it. I removed Java and disable the java.exe file in the management software directory.

Matt
0
 
Zephyr ICTCloud ArchitectCommented:
Ah yes ... That would do it, stupid management software needing java...

So any lingering processes (dns, java) ??

I don't think it was something nasty, since you've tested about everything it would be something very new or zero day maybe ... Or a very stubborn rootkit maybe
0
 
newmanmeNetwork Administrator\EngineerAuthor Commented:
all we could come up with
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.