Excessive Internet Upload by Server for no apparent reason

Markieboy1
Markieboy1 used Ask the Experts™
on
I look after a small company with 10 workstations on Windows 7 and one server running 2012 Essentials.

The company contacted me to say that the internet was slow and it was affecting emails. They had been in touch with the internet supplier who told them that it was due to upload saturation and something was uploading 4 gig an hour since last Thursday night.

After getting them to switch everything off overnight - except the modem/router - the uploading stopped. It seems only when the server is re-introduced does the problem re-appear.

The server isn't using any cloud backup and all emails are dealt with by Exchange Online. It is essentially a DC and file server.

I am suspecting bitcoin mining or botnet but I would be grateful for any ideas and/or potential solutions.

I am going to see the company later today so will see if I can find anything out but any suggestions in the meantime would be warmly welcomed.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Markieboy1Owner

Author

Commented:
Being to the customers and haven;t had any luck.

Something is uploading at a good rate and it is only from the Server. The Internet providers say it is a Bittorrent/P2P protocol. I have run most malware/antivirus/rootkit programs I had available and they can find nothing.

I am therefore going to re-install the machine at the weekend. I have set up another question regarding the best way to do this if anyone has any recommendations.

If anyone still has any advice on this problem before Saturday, however, i would be grateful.
kevinhsiehNetwork Engineer
Commented:
"netstat -f -b" from an elevated command prompt will show you all active connections, and the binary that is making the connection. That should help.
Top Expert 2016
Commented:
bitcoin mining doesn't have a lot of network activity it is cpu/gpu bound
even looking at the resource monitor networking sort by upload should show you something to investigate
Markieboy1Owner

Author

Commented:
Thank you for your replies.

Resource Monitor networking showed a lot of activity from lsass.exe.  Investigation into this showed it was in Windows/system32 and not elsewhere which, from my experience, usually indicates a virus.

I also ran Colasoft's Capsa 9 Network Monitoring software and this showed a lot of upload activity from the Server only with many different - and unexplained - IP addresses involved in this process.

Anyway, potential good news is that all seems to be working well this morning with none of the above happening and network traffic, according to the Internet provider, went back to normal last night.

Hopefully, something I did yesterday has solved the issue. I am concerned - even after all my efforts to  isolate the problem to the server - that it may still be one of the client machine that is actually causing the issue and that hasn't being turned on yet.

I am therefore going to keep this question open for the next day or two in case it returns.
Markieboy1Owner

Author

Commented:
Al still seems OK so now willing to close the question. Thanks for your help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial