Results 1 to 4 of 4

Thread: Upload Crazy

  1. #1
    Former Hive Addict radium's Avatar
    Join Date
    Jan 2007
    Location
    Final Table
    Posts
    1,328

    Question Upload Crazy

    Hello Guys

    I see my previous thread has been closed, but I am still experiencing issues with a Windows Server (server 2008 R2) also acts as a terminal server for 1 user.
    The upload is out of control and I can not find an infection on the PC

    I can however spot the traffic, the traffic is intermittent, appear to run to random IP addresses from random countries, I successfully block the IP range only to find it comes back....

    Test I have run:
    Malwarebytes
    Spyware Terminator
    HJT
    Hitman Pro
    Kaspersky Scan
    TrendMicro House Call
    SEP
    I have reset all user's passwords (recently)

    All turn up clean, it's almost like a DDoS attack, Any recommendations would be greatly appreciated
    It currently runs behind a Snapgear firewall which has done vey little to assist, any changes made only appear to last until the next attack, upload can be up to 5GB per day where I should be seeing more like 500MB.
    The issues appear to be isolated to just the server in the network.

    I have also run a wireshark trace but don't know how I can put that to good use, I identify the traffic stop it with a firewall rule, then it reappears at a later date

    Thanks.....
    Too Stupid to Understand Science? Try Religion.

  2. #2
    Senior Member
    Join Date
    Dec 2004
    Location
    Dunedin
    Posts
    855

    Default Re: Upload Crazy

    What port is the data using?
    Is the Host file and DNS forwarders correct.
    Is there any external port forwarding to the server (RDP?) and if so do the logs show rough logon attempts?

    Just a couple of quick ideas

  3. #3
    Senior Member 1101's Avatar
    Join Date
    Jan 2008
    Posts
    6,499

    Default Re: Upload Crazy

    Im clutching at straws but...
    Login as the TS user & see what happens, you may be able to isolate it to that one TS user .
    See what programs start up with that TS user . It could be a legit program used in a non-legit way, that would never be detected with malware scans.
    If you only have 1 TS user, consider deleting/disabling that a/c & making a new a/c for that user.

    Could it be a workstation sending spam via the sever ? Have you blocked port 25 for everything except for exchange . Block mail relaying from workstation to server (ie only allow email via outlook-exchange)

    Run a blacklist check on your static IP, to see if it has recently been detected sending spam.

    I have seen 1 instance when a poorly configured spam filter was sending NDR's/bounces to the spammers spoofed email adress's & all the CC's. Than caused a few issues (unlikely in your case though )

    Are the uploads definitely coming from the Server ?
    Does the upload/download meter at the ISP confirm that it is uploads & not a glitch in the reporting at your end ?
    Disable all remote/RDC etc rights for everyone who dont need them

  4. #4
    Former Hive Addict radium's Avatar
    Join Date
    Jan 2007
    Location
    Final Table
    Posts
    1,328

    Default Re: Upload Crazy

    Hi Guys

    Thanks for your great response, I hav only had the time now to revisit this

    Okay steps just taken.

    Changed all passwords
    Disabled all non essential and unused AD & RDP accounts
    Blocked port 25, (just now)
    Checked Host file - Clean
    DNS Forwards are correct
    Logged in as only TS User, no abnormal startup programs
    IP not blacklisted at Spamhaus
    External Port forwarding to the server - Yes for the DVR
    Are the uploads definitely coming from the Server ? Appear to be - all other workstations have been turned off and same upload traffic

    Spam Issue there was an issue 6 months ago where the server was sending out large amounts of spam, I found a backdoor that had been running in the background, removed this infection and that stopped the spam - according to Telecom.
    I have run so many scans and all clean.

    Thanks for your help, ensures I haven't overlooked something simple...
    I have ruled out issues with ISP false readings - turned off router for 12 hours and all traffic stopped, done the same with the server, similar result, have also run scans all on all networked computers which is about 7.
    I have yet to disable TS login and create a new one, will mean I will have to go on site and talk to the staff.... etc. But will do as a last restore
    Too Stupid to Understand Science? Try Religion.

Similar Threads

  1. Would you upload a pic of yourself?
    By Bozo in forum PC World Chat
    Replies: 28
    Last Post: 01-10-2007, 08:54 PM
  2. Help please - IE6.0 won't upload
    By Wun2win in forum PressF1
    Replies: 1
    Last Post: 09-06-2005, 08:23 PM
  3. Upload
    By Gum Digger in forum PressF1
    Replies: 4
    Last Post: 03-12-2004, 08:35 PM
  4. A NIC that is upload
    By Kame in forum PressF1
    Replies: 5
    Last Post: 08-04-2003, 06:40 PM
  5. Cd-rom crazy
    By buycs in forum PressF1
    Replies: 1
    Last Post: 09-09-2002, 10:21 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •