• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 97
  • Last Modified:

Excessive Internet Upload by Server for no apparent reason

I look after a small company with 10 workstations on Windows 7 and one server running 2012 Essentials.

The company contacted me to say that the internet was slow and it was affecting emails. They had been in touch with the internet supplier who told them that it was due to upload saturation and something was uploading 4 gig an hour since last Thursday night.

After getting them to switch everything off overnight - except the modem/router - the uploading stopped. It seems only when the server is re-introduced does the problem re-appear.

The server isn't using any cloud backup and all emails are dealt with by Exchange Online. It is essentially a DC and file server.

I am suspecting bitcoin mining or botnet but I would be grateful for any ideas and/or potential solutions.

I am going to see the company later today so will see if I can find anything out but any suggestions in the meantime would be warmly welcomed.
  • 3
2 Solutions
Markieboy1Author Commented:
Being to the customers and haven;t had any luck.

Something is uploading at a good rate and it is only from the Server. The Internet providers say it is a Bittorrent/P2P protocol. I have run most malware/antivirus/rootkit programs I had available and they can find nothing.

I am therefore going to re-install the machine at the weekend. I have set up another question regarding the best way to do this if anyone has any recommendations.

If anyone still has any advice on this problem before Saturday, however, i would be grateful.
"netstat -f -b" from an elevated command prompt will show you all active connections, and the binary that is making the connection. That should help.
David Johnson, CD, MVPOwnerCommented:
bitcoin mining doesn't have a lot of network activity it is cpu/gpu bound
even looking at the resource monitor networking sort by upload should show you something to investigate
Markieboy1Author Commented:
Thank you for your replies.

Resource Monitor networking showed a lot of activity from lsass.exe.  Investigation into this showed it was in Windows/system32 and not elsewhere which, from my experience, usually indicates a virus.

I also ran Colasoft's Capsa 9 Network Monitoring software and this showed a lot of upload activity from the Server only with many different - and unexplained - IP addresses involved in this process.

Anyway, potential good news is that all seems to be working well this morning with none of the above happening and network traffic, according to the Internet provider, went back to normal last night.

Hopefully, something I did yesterday has solved the issue. I am concerned - even after all my efforts to  isolate the problem to the server - that it may still be one of the client machine that is actually causing the issue and that hasn't being turned on yet.

I am therefore going to keep this question open for the next day or two in case it returns.
Markieboy1Author Commented:
Al still seems OK so now willing to close the question. Thanks for your help.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now