1

OS: Windows Server 2003 Monitoring tool: CurrPorts

When monitoring traffic on the server for traffic going out on port 80, example of results:

5/1/2014 2:36:23 PM Added cscript.exe TCP server-IP:51560 207.34.231.48:80 5/1/2014 2:36:23 PM Added cscript.exe TCP server-IP:51574

It seems that the traffic is initiated by cscript.exe and is going to 207.34.231.48:80.

I used the advice here to check what scripts are ran by cscript.exe at the time: http://blogs.msdn.com/b/gstemp/archive/2004/02/13/72505.aspx

However all the results I get are standard SCOM scripts, example: "C:\Windows\system32\cscript.exe" /nologo "D:\Program Files\System Center Operations Manager 2007\Health Service State\Monitoring Host Temporary Files 38\file.vbs"

I looked in the script and I get no hints at all what causes outgoing traffic to 207.34.231.48:80.

Can anyone recommend any steps I can take to identify what causes the server to send traffic to that IP?

ToastMan
  • 544
  • 4
  • 18
  • 29
  • 2
    Might want to get Wireshark and figure out what it's trying to do. Considering the IP is one of Akamai's caching server I wouldn't worry about this being a "hacking" attempt just yet. Do you have any association with Akamai (eg company website uses them or anything like that?), could be a simple misconfiguration in SCOM. – Chris S May 09 '14 at 13:59
  • Thanks for the reply. I can't find anything in SCOM, looking at the SCOM scripts or the config that goes towards that IP.. It driving me nuts. – ToastMan May 09 '14 at 14:37
  • I installed Fiddler and it doesn't show any results towards 207.34.231.x (while CurrPorts shows connections to that IP on port 80) -- I'm not sure what that means – ToastMan May 09 '14 at 14:55

0 Answers0