Excessive Internet Upload by Server for no apparent reason
I look after a small company with 10 workstations on Windows 7 and one server running 2012 Essentials.
The company contacted me to say that the internet was slow and it was affecting emails. They had been in touch with the internet supplier who told them that it was due to upload saturation and something was uploading 4 gig an hour since last Thursday night.
After getting them to switch everything off overnight - except the modem/router - the uploading stopped. It seems only when the server is re-introduced does the problem re-appear.
The server isn't using any cloud backup and all emails are dealt with by Exchange Online. It is essentially a DC and file server.
I am suspecting bitcoin mining or botnet but I would be grateful for any ideas and/or potential solutions.
I am going to see the company later today so will see if I can find anything out but any suggestions in the meantime would be warmly welcomed.
The company contacted me to say that the internet was slow and it was affecting emails. They had been in touch with the internet supplier who told them that it was due to upload saturation and something was uploading 4 gig an hour since last Thursday night.
After getting them to switch everything off overnight - except the modem/router - the uploading stopped. It seems only when the server is re-introduced does the problem re-appear.
The server isn't using any cloud backup and all emails are dealt with by Exchange Online. It is essentially a DC and file server.
I am suspecting bitcoin mining or botnet but I would be grateful for any ideas and/or potential solutions.
I am going to see the company later today so will see if I can find anything out but any suggestions in the meantime would be warmly welcomed.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your replies.
Resource Monitor networking showed a lot of activity from lsass.exe. Investigation into this showed it was in Windows/system32 and not elsewhere which, from my experience, usually indicates a virus.
I also ran Colasoft's Capsa 9 Network Monitoring software and this showed a lot of upload activity from the Server only with many different - and unexplained - IP addresses involved in this process.
Anyway, potential good news is that all seems to be working well this morning with none of the above happening and network traffic, according to the Internet provider, went back to normal last night.
Hopefully, something I did yesterday has solved the issue. I am concerned - even after all my efforts to isolate the problem to the server - that it may still be one of the client machine that is actually causing the issue and that hasn't being turned on yet.
I am therefore going to keep this question open for the next day or two in case it returns.
Resource Monitor networking showed a lot of activity from lsass.exe. Investigation into this showed it was in Windows/system32 and not elsewhere which, from my experience, usually indicates a virus.
I also ran Colasoft's Capsa 9 Network Monitoring software and this showed a lot of upload activity from the Server only with many different - and unexplained - IP addresses involved in this process.
Anyway, potential good news is that all seems to be working well this morning with none of the above happening and network traffic, according to the Internet provider, went back to normal last night.
Hopefully, something I did yesterday has solved the issue. I am concerned - even after all my efforts to isolate the problem to the server - that it may still be one of the client machine that is actually causing the issue and that hasn't being turned on yet.
I am therefore going to keep this question open for the next day or two in case it returns.
ASKER
Al still seems OK so now willing to close the question. Thanks for your help.
ASKER
Something is uploading at a good rate and it is only from the Server. The Internet providers say it is a Bittorrent/P2P protocol. I have run most malware/antivirus/rootkit programs I had available and they can find nothing.
I am therefore going to re-install the machine at the weekend. I have set up another question regarding the best way to do this if anyone has any recommendations.
If anyone still has any advice on this problem before Saturday, however, i would be grateful.