none
Map Services to HTTPS transactions RRS feed

  • Question

  • We are seeing odd traffic out of a Windows 2008 servers. There are many unknown http and https transactions. Plus there are quite a few UDP calls out to various internet hosts. We are viewing this through a firewall traffic log, not a packet sniffer. There are no users logging in, not a real person generating the traffic.

    The server runs a single application. We've checked with that application support and they don't use https, http or any of the other UDP traffic. We've reviewed the firewall logs with them. Their suspicion is that this is a virus, possibly related to amazonaws, a known piece of malware.

    We've run several different pieces of anti-malware, no one finds anything.

    Where we are at now is that we're trying to figure out what application or services are calling up these http and https transactions.

    A cyber security company recommended TechNet link to technetbb897437

    We tried it but we aren't any closer to sorting this out.

    Is there some other sort of Microsoft tool that could help us with that?

    Any help?

    thanks!

     

    Tuesday, February 17, 2015 6:37 PM

Answers

  • Hi,

    To display which process ID is using a certain TCP/UDP port, you can run netstat –noa” at the command prompt. Then you can run “tasklist | findstr <ProcessID>” to get which service/program is running that process ID.

    In addition, I recommend you to use network monitor to capture packets for better analysis.

    Best regards,

    Susie


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 19, 2015 7:25 AM
    Moderator