Server 2008r2 help.

[Karandras]

Hey,

So found that one of our Server 2008r2 machines was infected with Malware due to the AV being turned off (still investigating that). Got the MS offline virus scanner and it cleaned up the few infected files. Rebooted, scanned again nothing left.

This machine is now unable to browse to any HTTPS site. It can still serve HTTPS no problem and it can access/serve HTTP sites no problem. It's a plesk windows server with IIS.

Here are a couple things that I've tried to do to fix this issue:
-I downloaded TCPING and that is confirmed that it cannot ping out on 443 but can on all the other ports I tried.
-Wireshark shows no 443 traffic at all on either NIC while running a TCPING (This has two NICs, one for internal and one external traffic)
-Added a rule to the Windows firewall to allow all 443 out, no change.
-Totally disabled the Windows firewall, no change.
-Disabled/Removed the AV from the system, no change.
-Reset the TCP/IP stack, no change.
-Removed and re-added the NICs (including drivers), no change.
-Took the Kapersky tdskiller, nothing found.
-Got TCPView, it shows that when TCPING or any other program attempts to connect to any HTPS site it only gets the SYN_SENT. That just times out, no ACKs or ESTABLISHED.

How can I find what is grabbing all the 443 traffic before it even hits the NIC?

I really appreciate any help in this matter from the [H] community!

 

[AltTabbins]

Do you have an external firewall that could be blocking the port?

 

[Karandras]

Hi,

No, the external interface is a direct connection with a static IP.
Plus wireshark doesn't even see the HTTPS connection attempt on either NIC, only the TCPViewer sees the attempt.

:-/

 

[tazeat]

If this is a production server, it NEEDS to be rebuilt. You do not trust some automated virus tool to clean up a compromise. Disabling AV also does not cause a compromise, it may fail to alert you of a compromise, but it does not cause a compromise.

That said it could be many things, verifying the authenticode signatures of the entire Windows folder would be a start. Especially as old as 2k8r2 it could still have any number of undetected rootkits installed. Rebuild.

Also 2k8r2 is essentially EoL and extended support is nearly over. Give 2016 a try, it needs to be upgraded anyway. Rebuild.

 

[Karandras]

tazeat,

We are in the process of building a new production IIS server and I definitely agree with you there. Just hoping to get this bandaded until I can get the other server operational. :-/ And yes, definitely 2016 ;-) Our whole hosting platform is being rejigd.

 

[PliotronX]

Could you please run a command as admin:

netsh int portproxy show all

If it returns a blank line, that's good. Nothing should normally be listed unless you put it there administratively.

Next, I would disable IPv6 on the NIC.

Generally I agree that a reload is in order because you never know when traces are still dormant on the system. It could very well be listening on port 443. I would also run a route print -4 just to look for anything wiggy. Is the connection proxy disabled in inetcpl.cpl -> connections tab -> LAN settings? Try also running netstat -ab and see if anything is using that port. Do the IIS services have any trouble starting?

Also, what browser are you using? Tried any others?

 

[Karandras]

PliotronX,
Thanks for the info.
netsh int portproxy show all --> <blank>

Yay.
No weird routes that I can see in there. I'll try to disable IPV6 tonight and see if that helps.

Yes, I've tried Chrome and IE, both with the same results. That's why I tried the TCPING to make sure that it wasn't just a browser or a proxy issue, unfortunately it's more than just a simple proxy setting...