Strange network addresses on Resource Monitor

I'm running Server 2012 R2.

When I look at the Network tab in the Resource Monitor, I see strange network addresses which last for a few seconds and then disappear.

The server is used as database server and should only be connected from Australian addresses. I can see many addresses from .ru, .tr, .fr, etc.

All these connections are being used by PID 4, the System image.

I have run a scan with Malwarebytes which picked up zero issues.

  1. Is there a way to see which System process is using these connections?
  2. Is this some type of worm and if so, how can I locate it?

I've attached an image of the kind of addresses that I'm seeing.

Network


I cannot answer your question 1. As for your question 2, it is probably not a worm on your server if the connections are all incoming.

HOWEVER

Random people from the Internet should not be allowed to open any kind of connection to your database server. Your firewall should allow incoming access to

  1. the port for your administrative connections, hopefully identified by your static source IP address if you have one

  2. the port for the service you are providing, which is hopefully not a database directly but some web interface, Apache or IIS for example, maybe running on a different machine.

This means that you will not need to wonder what those addresses are connecting to, because there will only be two possibilities.

Another possibility is that the connections are outgoing. If so, best case is that they are DNS lookups that your server does to identify incoming connections (that would explain why the connections are being used by the system image). Worst case, of course, is something like "your server is totally compromised, your data has been exported to someone else and you will lose access to it or it will be modified in ways you will not like, and your server is being used for illegal purposes that will earn you a visit from the police" -- hopefully this isn't the case! Checking that you have up-to-date backups is always good.

If you still see these connections after restricting incoming connections to the specifically authorized ones, then you should dump the network packets using a packet sniffer in order to see what the packets are, and if that doesn't answer your questions then at least you will have a lot more data for your next question.

This may not be the answer you were looking for, but since nobody else has taken you up on this in two days, I'm giving you what I can.

TL;DR: You need a firewall.


1 - Yes, there is: https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview

2 - Impossible to say without more details.

There are a lot of worms, scanners, search engines, idiots and other connection initiating mechanisms on the internet. There is no way to know with that not so great ammount of information.