Solved

Server 2008 R2 spawning 100's of DNS.exe and java.exe wireshark

Posted on 2014-04-23
9
494 Views
Last Modified: 2014-05-25
Good mmorning,

A client of mine has a server, win 2008 r2, 64x, 16gb ram, etc. Starting a couple days ago the client called and said the server is terribly slow.
What I have done:
1. ran Vipre business scan
2. ran malware bytes (free)
3. ran Spyhunter4 (paid version)
4. ran malware bytes root kit finder (beta)
5. cmd prompt ran "netstat -anob"
   - netstat -anob reported back hundreds if not thousands of the DNS.exe running
   - shut down dns services as the server is not providing DNS services
   - restarted server, still slow but no signs of all the dns.exe's running
6. ran wireshark overnite and am now downloading to my PC (about an hour left to finish download
7. this morning logged into server to find hundreds if not thousands of Java.exe running
8. have removed all snmp services and am waiting to restart server after the wireshark file download is done.

Simply put I can't find any malware, viruses, or root kits, yet this terribly slow behavior continues.

I have downloaded sysinternals and am looking at the process explorer and still no signs of what is causing this.

Also, CPU usage is low, DIsk usage is low, network usage maybe a bit high, but nothing is out of the ordinary.

I do not have a lot of experience using wireshark and could use some help with that.

If anyone has experienced this or knows a fix, please help !! I have never had a server do this to me in over 20 years and I am at a loss. Maybe the "NSA" is hacking in, LOL.

Thanks in advance
Matt
0
Comment
Question by:newmanme
  • 5
  • 4
9 Comments
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40017734
When you ran netstat, did you see if the processes were waiting or were connected? And if they were connected, any IP-address?

I can assist with the Wireshark log, but it might be rather big? Maybe post some screenshots or parts from it rather than upload the whole thing?
0
 
LVL 1

Author Comment

by:newmanme
ID: 40017836
[dns.exe]
  UDP    0.0.0.0:51971          *:*                                    2292

there were hundreds of these listed yesterday and then Java today (again hundreds to thousands of these entries)

[javaw.exe]
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       2312
[java.exe]
  TCP    0.0.0.0:49260          0.0.0.0:0              LISTENING       3144
 [java.exe]
  TCP    0.0.0.0:51709          0.0.0.0:0              LISTENING       2292
Netstat--anob-04212014.txt
0
 
LVL 1

Author Comment

by:newmanme
ID: 40017839
Can I ftp the wireshark file to you?  It is 153MB.

Matt
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40017872
You can use something like this https://www.wetransfer.com/  to transfer the wireshark file ...

[edit] removed the sysinternals comment, saw you already doing this...


If nothing is connecting it might be something else ... Strange though... Haven't seen it before...

Are you sure DNS is not being used/running on this server?
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40017906
Why is there java running on the server anyway?
0
 
LVL 1

Author Comment

by:newmanme
ID: 40018280
java was running because the management software for the raid installed it. I removed Java and disable the java.exe file in the management software directory.

Matt
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40018289
Ah yes ... That would do it, stupid management software needing java...

So any lingering processes (dns, java) ??

I don't think it was something nasty, since you've tested about everything it would be something very new or zero day maybe ... Or a very stubborn rootkit maybe
0
 
LVL 1

Accepted Solution

by:
newmanme earned 0 total points
ID: 40078848
Was never able to resolve. Had to rebuild server.
0
 
LVL 1

Author Closing Comment

by:newmanme
ID: 40089267
all we could come up with
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Viewers will learn how to properly install Eclipse with the necessary JDK, and will take a look at an introductory Java program. Download Eclipse installation zip file: Extract files from zip file: Download and install JDK 8: Open Eclipse and …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question