Solved

Excessive Internet Upload by Server for no apparent reason

Posted on 2016-10-19
5
58 Views
Last Modified: 2016-10-24
I look after a small company with 10 workstations on Windows 7 and one server running 2012 Essentials.

The company contacted me to say that the internet was slow and it was affecting emails. They had been in touch with the internet supplier who told them that it was due to upload saturation and something was uploading 4 gig an hour since last Thursday night.

After getting them to switch everything off overnight - except the modem/router - the uploading stopped. It seems only when the server is re-introduced does the problem re-appear.

The server isn't using any cloud backup and all emails are dealt with by Exchange Online. It is essentially a DC and file server.

I am suspecting bitcoin mining or botnet but I would be grateful for any ideas and/or potential solutions.

I am going to see the company later today so will see if I can find anything out but any suggestions in the meantime would be warmly welcomed.
0
Comment
Question by:Markieboy1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 

Author Comment

by:Markieboy1
ID: 41850578
Being to the customers and haven;t had any luck.

Something is uploading at a good rate and it is only from the Server. The Internet providers say it is a Bittorrent/P2P protocol. I have run most malware/antivirus/rootkit programs I had available and they can find nothing.

I am therefore going to re-install the machine at the weekend. I have set up another question regarding the best way to do this if anyone has any recommendations.

If anyone still has any advice on this problem before Saturday, however, i would be grateful.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 250 total points
ID: 41851085
"netstat -f -b" from an elevated command prompt will show you all active connections, and the binary that is making the connection. That should help.
1
 
LVL 80

Accepted Solution

by:
David Johnson, CD, MVP earned 250 total points
ID: 41851526
bitcoin mining doesn't have a lot of network activity it is cpu/gpu bound
even looking at the resource monitor networking sort by upload should show you something to investigate
0
 

Author Comment

by:Markieboy1
ID: 41851647
Thank you for your replies.

Resource Monitor networking showed a lot of activity from lsass.exe.  Investigation into this showed it was in Windows/system32 and not elsewhere which, from my experience, usually indicates a virus.

I also ran Colasoft's Capsa 9 Network Monitoring software and this showed a lot of upload activity from the Server only with many different - and unexplained - IP addresses involved in this process.

Anyway, potential good news is that all seems to be working well this morning with none of the above happening and network traffic, according to the Internet provider, went back to normal last night.

Hopefully, something I did yesterday has solved the issue. I am concerned - even after all my efforts to  isolate the problem to the server - that it may still be one of the client machine that is actually causing the issue and that hasn't being turned on yet.

I am therefore going to keep this question open for the next day or two in case it returns.
0
 

Author Closing Comment

by:Markieboy1
ID: 41856888
Al still seems OK so now willing to close the question. Thanks for your help.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Event ID: 5719 / Source: NETLOGON 9 167
Gmail hacked or spoofed? 10 42
Server 2012 r2 licensing CALs 3 83
Port to open for RDP connection to VM in DMZ ? 5 69
Introduction Ever had certain email messages or responses that you find yourself using over and over again? Do you use Google's Gmail system? If so, then this article is here to help you save time by teaching you how to create email templates from …
Are you using email marketing software? If not, you're missing out on effortless marketing and the reaching of desired conversion rates through email marketing software.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question