Windows Server 2011 - System opening ominous TCP connections

Question

Where I work we have a Windows Server 2011 Small Business edition, and recently our Symantec software started reporting "blocked intrusion attempts" from port 80. Our routers do not forward any port to the Server's 80 port, so I imagined the intrusion must be an outgoing connection from the server itself.

So I analized the network load with Systernals TCPView and found quite a lot of established and closed connections to random internet domains, handled by System. No one uses the server to browse the internet, and all workstations uses the routers directly as gateways.

This is part of TCPView log. The redacted "local address" is of course our server name.

System  4   TCP *********** http    60.191.0.244    64319   ESTABLISHED                                     
System  4   TCP *********** http    101.200.47.16   8459    CLOSE_WAIT                                      
System  4   TCP *********** http    191-19-83-33.user.vivozap.com.br    42496   CLOSE_WAIT                                      
System  4   TCP *********** http    164.115.41.175  43486   CLOSE_WAIT                                      
System  4   TCP *********** http    150.242.255.174 44416   CLOSE_WAIT                                      
System  4   TCP *********** http    164.115.41.175  47442   CLOSE_WAIT                                      
System  4   TCP *********** http    177.87.41-231.arrobasat.net.br  48123   CLOSE_WAIT                                      
System  4   TCP *********** http    dsl-189-230-200-191-dyn.prod-infinitum.com.mx   51664   ESTABLISHED                                     
System  4   TCP *********** http    185.216.140.17  52176   CLOSE_WAIT                                      
System  4   TCP *********** http    164.115.41.175  53965   CLOSE_WAIT                                      
System  4   TCP *********** http    164.115.41.175  56133   CLOSE_WAIT                                      
System  4   TCP *********** http    164.115.41.175  58255   CLOSE_WAIT                                      
System  4   TCP *********** http    164.115.41.175  62631   CLOSE_WAIT                                      
System  4   TCP *********** http    164.115.41.175  15485   CLOSE_WAIT                                      
System  4   TCP *********** http    103.96.51.168   31089   CLOSE_WAIT                                      
System  4   TCP *********** http    164.115.41.175  4480    CLOSE_WAIT                                      
System  4   TCP *********** http    164.115.41.175  8981    CLOSE_WAIT                                      
System  4   TCP *********** http    101.200.47.16   16375   CLOSE_WAIT                                      
System  4   TCP *********** http    198.24.113.181.static.anycast.cnt-grms.ec   34732   CLOSE_WAIT                                      
System  4   TCP *********** http    ec2-54-162-123-74.compute-1.amazonaws.com   45372   CLOSE_WAIT                                      
System  4   TCP *********** http    190.52.66.66    53300   CLOSE_WAIT                                      
System  4   TCP *********** http    110.77.205.250  59765   CLOSE_WAIT                                      
System  4   TCP *********** http    164.115.41.175  64701   CLOSE_WAIT                                      
System  4   TCP *********** http    164.115.41.175  4480    CLOSE_WAIT                                      
System  4   TCP *********** http    101.200.47.16   8459    CLOSE_WAIT                                      
System  4   TCP *********** http    164.115.41.175  8981    CLOSE_WAIT                                      
System  4   TCP *********** http    164.115.41.175  4480    CLOSE_WAIT                                      
System  4   TCP *********** http    103.96.51.168   31089   CLOSE_WAIT                                      
System  4   TCP *********** http    187-56-64-26.dsl.telesp.net.br  35086   CLOSE_WAIT                                      
System  4   TCP *********** http    ec2-54-162-123-74.compute-1.amazonaws.com   45372   CLOSE_WAIT                                      
System  4   TCP *********** http    190.52.66.66    53300   CLOSE_WAIT                                      
System  4   TCP *********** http    164.115.41.175  8981    CLOSE_WAIT                                      
System  4   TCP *********** http    164.115.41.175  15485   CLOSE_WAIT                                      
System  4   TCP *********** http    103.96.51.168   31089   CLOSE_WAIT                                      
System  4   TCP *********** http    164.115.41.175  49546   CLOSE_WAIT                                      
System  4   TCP *********** http    190.52.66.66    53300   CLOSE_WAIT                                      
System  4   TCP *********** http    190.52.66.66    53300   CLOSE_WAIT                                      
System  4   TCP *********** http    164.115.41.175  49546   CLOSE_WAIT                                      
System  4   TCP *********** http    dsl-189-230-200-191-dyn.prod-infinitum.com.mx   51664   ESTABLISHED

I whois'd randomly some of those addresses and for example, 60.191.0.244 is registered to a hotel in China.

Is this as bad as it looks? How can I gather more information?

Thanks a lot.

These appear to be inbound connections, not outbound connections. The local port is port 80 (HTTP). If these were outbound connections the local port would be one of the ephemeral ports and it would be different for every connection. These are inbound connections to port 80 on the server. — joeqwerty, Jul 23 '18 at 18:08
Thanks for the answer Joe. I'll have to look into how those addresses are reaching the server private address. Its behind a NAT. — Javier Cambiasso, Jul 23 '18 at 18:13
What kind of router are you using? Make sure UPnP is disabled, and do a full check of your server for any malware/rootkits. — RobbieCrash, Jul 23 '18 at 22:06
Right now we are checking other PCs in the network. The router is a Mikrotik, it does have UPnP but disabling it would just cover up the symptons, the infections would still be rampant. But yeah, we are running a rootkit finder later. Thanks — Javier Cambiasso, Jul 24 '18 at 12:32

score 0 · Answer 1 · answered Jul 26 '18 at 13:54

0

As @joeqwerty pointed out, those were inbound connections. There was a broken port forward in our router. Was listed as "Disabled", but apparently the forward was completely operational.

answered Jul 26 '18 at 13:54

Javier Cambiasso

1

Windows Server 2011 - System opening ominous TCP connections

1 Answers1