Why is my physical host performing unnecessary port scan of Hyper-V virtual server?

Why is my physical Windows Server host port scanning a virtual server, and how can I stop it doing so unnecessarily?
Marcus NTechnical SpecialistAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bbaoIT ConsultantCommented:
no Windows server automatically does port scan on its own, so it must be some utility or malware is working in the background exploring the local subnet(s). you need to check the running applications and processes to determine what is going on there.

BTW, you haven't mentioned the OS version, what is it and what are the major applications installed on the server (the server role except known Hyper-V host).
Marcus NTechnical SpecialistAuthor Commented:
Thanks for the reply. I have a very well maintained antivirus application tasklist.txtrunning, a hardware firewall upstream with another malware protection service, so I think I can rule out malware.

The physical host is MS Server 2012 R2 and the virtual server is MS SBS 2011.

The processes on the physical server are listed in the attached text file. Does anything look particularly odd?
David Johnson, CD, MVPOwnerCommented:
the only one that could be is the rundll32.exe as I can't tell from this list what the rundll is doing. you may want to run procmon from sysinternals and filter on programs with network activity
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

arnoldCommented:
Please define your portscan how do you see it manifest?

You have Apache, SQL, iAS! etc. running

Nothing shoukd be excluded until. Confirmed.
Marcus NTechnical SpecialistAuthor Commented:
Thank you both for the feedback.

rundll32.exe seems to be making no network sends or receives.

The tasks with the highest number of sends on the physical server are:
dhcp
netprofm
Symantec SEP
dfssvc
adws
ntfrs
dfsr
dns
Symantec Semsvc
ntds
some Kerberos

The reason I know there are port scans is because Symantec AV is logging it. I get a number of, what I regard as, hostile port scans from internet based IP addresses, but I also get a port scan from the NIC on the physical host server.
arnoldCommented:
is your hyper-v directly exposed

What functions does your hyper-v host have?
I see, httpd, ntfrs,dfsr , DHCP, DNS, adfs
suggesting it is running as a DC.

Please post an example of the step record that you see as a port scan initiating from the hyper-v host to ?
Marcus NTechnical SpecialistAuthor Commented:
How do I obtain the step record, please?
arnoldCommented:
SEP Filter, security log should indicate source do the request and the action, block, allow.
Logs that point to confirm your observation of a scan .
Marcus NTechnical SpecialistAuthor Commented:
Thank you. Please see a copy of the log confirming the internal port scan. (I have replaced the IP address of the physical server with 192.168.X.Y and the IP address of the server being scanned with 192.168.X.Z. All the MAC addresses are not the actual ones, just representative.)

What shall I do to troubleshoot some more, please?SymSecurityLog.txt
arnoldCommented:
It seems you are misreading the meaning of the log, quick look points to external requests to a web server and the reply being detected based on the port .....

PRivate IP space has no information that required masquerading as there is no way .....


Look at the log a scan is one system initiating a connection to another system on range of ports.

Your log reflects a request sent to the internal IP web service from an external source, it responded and see detects an issue. Check your web service to make sure the site has not been compromised and that is what the sep detects in the response and blocks it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
arnoldCommented:
It comes in threes
External request to a web being detected as an attack.
Some internal to internal ip getting blocked
....
Marcus NTechnical SpecialistAuthor Commented:
Humm, I've looked at the ports that are being scanned and they do not correspond to any ports that are "LISTENING" or "TIME_WAIT" or "ESTABLISHED" on the physical server.

All of the connections that are initiated between the physical server and the virtual server should be internal. There should be no external requests. The devices are on the same IP range and same subnet. I'm a bit confused about what's going on. What should I troubleshoot? Anything particular in the event viewer?
David Johnson, CD, MVPOwnerCommented:
muieblackcat is script/bot, supposedly of Ukrainian origin, that attempts to exploit PHP vulnerabilities or misconfigurations. See SUC027: Muieblackcat setup.php Web Scanner/Robot for more detail.

If you are not using PHP and have deactivated mod_php, you're safe. However, a request for /muieblackcat may mean that the bot has already, maybe successfully, visited your site. I suggest you carefully check your configuration and web content (if possible, erase all and reinstall from a trusted source set).
https://serverfault.com/questions/309309/what-is-muieblackcat
arnoldCommented:
you have incoming to your web server on port 80.
The subsequent is the response from yours to ....

the first line with the date is the entry the remaining data until the next date is the information related to this event.
Your setup might be that your X.z is forwarding to X.Y.... and based on the pattern it  blocks and locks out the system for 600 seconds.

Depending on what you have in terms of resources, setting up a reverse proxy between the outside and your web server would shield your web server from this type of a direct attack by adding capabilities on the reverse proxy to detect/reject those types of access attempts.
iptables + snort is often the .....
Marcus NTechnical SpecialistAuthor Commented:
Thank you all for your suggestions. They have helped me to identify what I believe to be the issue, as follows.
1. I have on premise Symantec AV (SEPM 12.1.5) for a range of endpoints (Windows 7 etc).
2. I have cloud Symantec AV (SEPM 14.x) for some other endpoints (Windows 10 etc).
3. Some of the Windows 10 endpoints were previously Windows 7 endpoints (I upgraded the operating systems).
4. These upgraded Windows 10 endpoints became identified by SEPM 12.1.5 as unmanaged.
5. The SEPM attempted regular communication with these "unmanaged" endpoints which now had SEPM 14.x clients installed.
6. I have deleted the clients that were Windows 7 and are now Windows 10 from the on premise SEPM console. This appears to have eliminated the internal port scanning.

Before I assign points, I'll leave this open for another day so that I can confirm this outcome, or come back with some further query for help.
Marcus NTechnical SpecialistAuthor Commented:
Thank you for helping me identify the root cause being the way on premise and cloud SEPM was handling clients.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.