F
forgiven
Server 2012r2 as DC on a dell t320. The WAN latency is off the charts which makes connectivity spotty at best (most of the time this looks like no internet). Also connectivity on the LAN doesn't work (can't find other devices on the network). When i unplug the server, latency returns to more acceptable values and intra and inter network connectivity returns so i know for sure, something on the server is the cause. When i run netstat, i see the server local ip (192.168.1.x) on port 3389 to 69.70.140.178 on some random looking port (54530 or something like that). No one is using remote desktop from the server to that 69.70 ip so i suspect someone has somehow compromised the server/network.
I have blocked that 69.70 ip both going out and coming in at the hardware firewall and when i plug the server back in to the network and run netstat, that same connection is there so i assume netstat is reporting a connection from the server going out to 69.70 (and netstat says this connection is established not listening). I scanned for infections using adwcleaner, malwarebytes and roguekiller. None of these found anything. I tried the other NIC, same thing. I brought the server back to the office and when i connect it and boot it up and run netstat, that connection does NOT appear. This seems to suggest that the 69.70 ip is connecting into the server and not the server out to 69.70.
Has anyone seen anything like this before and how did you fix it?
Continue reading...
I have blocked that 69.70 ip both going out and coming in at the hardware firewall and when i plug the server back in to the network and run netstat, that same connection is there so i assume netstat is reporting a connection from the server going out to 69.70 (and netstat says this connection is established not listening). I scanned for infections using adwcleaner, malwarebytes and roguekiller. None of these found anything. I tried the other NIC, same thing. I brought the server back to the office and when i connect it and boot it up and run netstat, that connection does NOT appear. This seems to suggest that the 69.70 ip is connecting into the server and not the server out to 69.70.
Has anyone seen anything like this before and how did you fix it?
Continue reading...