PDA

View Full Version : Upload Crazy



radium
30-07-2014, 11:09 PM
Hello Guys

I see my previous thread has been closed, but I am still experiencing issues with a Windows Server (server 2008 R2) also acts as a terminal server for 1 user.
The upload is out of control and I can not find an infection on the PC

I can however spot the traffic, the traffic is intermittent, appear to run to random IP addresses from random countries, I successfully block the IP range only to find it comes back....

Test I have run:
Malwarebytes
Spyware Terminator
HJT
Hitman Pro
Kaspersky Scan
TrendMicro House Call
SEP
I have reset all user's passwords (recently)

All turn up clean, it's almost like a DDoS attack, Any recommendations would be greatly appreciated
It currently runs behind a Snapgear firewall which has done vey little to assist, any changes made only appear to last until the next attack, upload can be up to 5GB per day where I should be seeing more like 500MB.
The issues appear to be isolated to just the server in the network.

I have also run a wireshark trace but don't know how I can put that to good use, I identify the traffic stop it with a firewall rule, then it reappears at a later date

Thanks.....

berryb
30-07-2014, 11:38 PM
What port is the data using?
Is the Host file and DNS forwarders correct.
Is there any external port forwarding to the server (RDP?) and if so do the logs show rough logon attempts?

Just a couple of quick ideas

1101
31-07-2014, 11:01 AM
Im clutching at straws but...
Login as the TS user & see what happens, you may be able to isolate it to that one TS user .
See what programs start up with that TS user . It could be a legit program used in a non-legit way, that would never be detected with malware scans.
If you only have 1 TS user, consider deleting/disabling that a/c & making a new a/c for that user.

Could it be a workstation sending spam via the sever ? Have you blocked port 25 for everything except for exchange . Block mail relaying from workstation to server (ie only allow email via outlook-exchange)

Run a blacklist check on your static IP, to see if it has recently been detected sending spam.

I have seen 1 instance when a poorly configured spam filter was sending NDR's/bounces to the spammers spoofed email adress's & all the CC's. Than caused a few issues (unlikely in your case though )

Are the uploads definitely coming from the Server ?
Does the upload/download meter at the ISP confirm that it is uploads & not a glitch in the reporting at your end ?
Disable all remote/RDC etc rights for everyone who dont need them

radium
02-08-2014, 06:51 PM
Hi Guys

Thanks for your great response, I hav only had the time now to revisit this

Okay steps just taken.

Changed all passwords
Disabled all non essential and unused AD & RDP accounts
Blocked port 25, (just now)
Checked Host file - Clean
DNS Forwards are correct
Logged in as only TS User, no abnormal startup programs
IP not blacklisted at Spamhaus
External Port forwarding to the server - Yes for the DVR
Are the uploads definitely coming from the Server ? Appear to be - all other workstations have been turned off and same upload traffic

Spam Issue there was an issue 6 months ago where the server was sending out large amounts of spam, I found a backdoor that had been running in the background, removed this infection and that stopped the spam - according to Telecom.
I have run so many scans and all clean.

Thanks for your help, ensures I haven't overlooked something simple...
I have ruled out issues with ISP false readings - turned off router for 12 hours and all traffic stopped, done the same with the server, similar result, have also run scans all on all networked computers which is about 7.
I have yet to disable TS login and create a new one, will mean I will have to go on site and talk to the staff.... etc. But will do as a last restore