Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 546
  • Last Modified:

Server 2008 R2 spawning 100's of DNS.exe and java.exe wireshark

Good mmorning,

A client of mine has a server, win 2008 r2, 64x, 16gb ram, etc. Starting a couple days ago the client called and said the server is terribly slow.
What I have done:
1. ran Vipre business scan
2. ran malware bytes (free)
3. ran Spyhunter4 (paid version)
4. ran malware bytes root kit finder (beta)
5. cmd prompt ran "netstat -anob"
   - netstat -anob reported back hundreds if not thousands of the DNS.exe running
   - shut down dns services as the server is not providing DNS services
   - restarted server, still slow but no signs of all the dns.exe's running
6. ran wireshark overnite and am now downloading to my PC (about an hour left to finish download
7. this morning logged into server to find hundreds if not thousands of Java.exe running
8. have removed all snmp services and am waiting to restart server after the wireshark file download is done.

Simply put I can't find any malware, viruses, or root kits, yet this terribly slow behavior continues.

I have downloaded sysinternals and am looking at the process explorer and still no signs of what is causing this.

Also, CPU usage is low, DIsk usage is low, network usage maybe a bit high, but nothing is out of the ordinary.

I do not have a lot of experience using wireshark and could use some help with that.

If anyone has experienced this or knows a fix, please help !! I have never had a server do this to me in over 20 years and I am at a loss. Maybe the "NSA" is hacking in, LOL.

Thanks in advance
Matt
0
newmanme
Asked:
newmanme
  • 5
  • 4
1 Solution
 
Zephyr ICTCloud ArchitectCommented:
When you ran netstat, did you see if the processes were waiting or were connected? And if they were connected, any IP-address?

I can assist with the Wireshark log, but it might be rather big? Maybe post some screenshots or parts from it rather than upload the whole thing?
0
 
newmanmeAuthor Commented:
[dns.exe]
  UDP    0.0.0.0:51971          *:*                                    2292

there were hundreds of these listed yesterday and then Java today (again hundreds to thousands of these entries)

[javaw.exe]
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       2312
[java.exe]
  TCP    0.0.0.0:49260          0.0.0.0:0              LISTENING       3144
 [java.exe]
  TCP    0.0.0.0:51709          0.0.0.0:0              LISTENING       2292
Netstat--anob-04212014.txt
0
 
newmanmeAuthor Commented:
Can I ftp the wireshark file to you?  It is 153MB.

Matt
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Zephyr ICTCloud ArchitectCommented:
You can use something like this https://www.wetransfer.com/  to transfer the wireshark file ...

[edit] removed the sysinternals comment, saw you already doing this...


If nothing is connecting it might be something else ... Strange though... Haven't seen it before...

Are you sure DNS is not being used/running on this server?
0
 
Zephyr ICTCloud ArchitectCommented:
Why is there java running on the server anyway?
0
 
newmanmeAuthor Commented:
java was running because the management software for the raid installed it. I removed Java and disable the java.exe file in the management software directory.

Matt
0
 
Zephyr ICTCloud ArchitectCommented:
Ah yes ... That would do it, stupid management software needing java...

So any lingering processes (dns, java) ??

I don't think it was something nasty, since you've tested about everything it would be something very new or zero day maybe ... Or a very stubborn rootkit maybe
0
 
newmanmeAuthor Commented:
Was never able to resolve. Had to rebuild server.
0
 
newmanmeAuthor Commented:
all we could come up with
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now