Server 2008 R2 spawning 100's of DNS.exe and java.exe wireshark

Good mmorning,

A client of mine has a server, win 2008 r2, 64x, 16gb ram, etc. Starting a couple days ago the client called and said the server is terribly slow.
What I have done:
1. ran Vipre business scan
2. ran malware bytes (free)
3. ran Spyhunter4 (paid version)
4. ran malware bytes root kit finder (beta)
5. cmd prompt ran "netstat -anob"
   - netstat -anob reported back hundreds if not thousands of the DNS.exe running
   - shut down dns services as the server is not providing DNS services
   - restarted server, still slow but no signs of all the dns.exe's running
6. ran wireshark overnite and am now downloading to my PC (about an hour left to finish download
7. this morning logged into server to find hundreds if not thousands of Java.exe running
8. have removed all snmp services and am waiting to restart server after the wireshark file download is done.

Simply put I can't find any malware, viruses, or root kits, yet this terribly slow behavior continues.

I have downloaded sysinternals and am looking at the process explorer and still no signs of what is causing this.

Also, CPU usage is low, DIsk usage is low, network usage maybe a bit high, but nothing is out of the ordinary.

I do not have a lot of experience using wireshark and could use some help with that.

If anyone has experienced this or knows a fix, please help !! I have never had a server do this to me in over 20 years and I am at a loss. Maybe the "NSA" is hacking in, LOL.

Thanks in advance
newmanmeNetwork Administrator\EngineerAsked:
Who is Participating?
newmanmeConnect With a Mentor Network Administrator\EngineerAuthor Commented:
Was never able to resolve. Had to rebuild server.
Zephyr ICTCloud ArchitectCommented:
When you ran netstat, did you see if the processes were waiting or were connected? And if they were connected, any IP-address?

I can assist with the Wireshark log, but it might be rather big? Maybe post some screenshots or parts from it rather than upload the whole thing?
newmanmeNetwork Administrator\EngineerAuthor Commented:
  UDP          *:*                                    2292

there were hundreds of these listed yesterday and then Java today (again hundreds to thousands of these entries)

  TCP               LISTENING       2312
  TCP              LISTENING       3144
  TCP              LISTENING       2292
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

newmanmeNetwork Administrator\EngineerAuthor Commented:
Can I ftp the wireshark file to you?  It is 153MB.

Zephyr ICTCloud ArchitectCommented:
You can use something like this  to transfer the wireshark file ...

[edit] removed the sysinternals comment, saw you already doing this...

If nothing is connecting it might be something else ... Strange though... Haven't seen it before...

Are you sure DNS is not being used/running on this server?
Zephyr ICTCloud ArchitectCommented:
Why is there java running on the server anyway?
newmanmeNetwork Administrator\EngineerAuthor Commented:
java was running because the management software for the raid installed it. I removed Java and disable the java.exe file in the management software directory.

Zephyr ICTCloud ArchitectCommented:
Ah yes ... That would do it, stupid management software needing java...

So any lingering processes (dns, java) ??

I don't think it was something nasty, since you've tested about everything it would be something very new or zero day maybe ... Or a very stubborn rootkit maybe
newmanmeNetwork Administrator\EngineerAuthor Commented:
all we could come up with
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.