Netscan shows me data but I end up with lines like this which I do not find useful (unless I can make use of the memory offset value?)Ġx1363b0a00 TCPv4 _server_IP_64242 80. 'malfind' shows nothing suspicious (as per the notes I have on SANS 508). I dived into memory forensics but can't find a strangely named process, or improperly located executable, not some bad dll. I have multiple similar servers doing the same job with the exact same setup an configurations and only this one is acting up. It is apparently not a configuration issue. I would look-up applications that map TCP/UDP connections to processes on the computer, such as TCPview (or simply netstat -b) and then further isolate the. Even the vendor's tech was unable to figure out what's happening. So you have SYSTEM connecting to both internal IPs (which is ok ) and external IPs (which is not okay). The service's role is to connect to internal servers to poll for windows event logs. If I shutdown a specific service related to remote log collection, the strange connections stop. Even a simple netstat will give you that info (SYSTEM is trying to connect to external IPs on port 445). When watching Sysinternal's Process Explorer during that same time frame I see no new process appearing and disappearing. Lines appear for a few seconds, then disappear.
System Action: Processing of the statement. On a server running Windows 2012R2 I use SysInternal's tcpview.exe and see SYSTEM PID 4 making unwanted connections to random public IPs on port 445. Otherwise, the indicated IP address was found to be syntactically incorrect.
0 kommentar(er)
