Starting off with a Reverse DNS Lookup:
So looking into the DNS records we got a little more information:217.160.242.233 resolves to
"u15193991.onlinehome-server.com"Top Level Domain: "onlinehome-server.com"
Registrar: SCHLUND+PARTNER AG (explains the Germany connection)
registrant-organization: 1&1 Internet Inc. of Chesterbrook PA
A quick check around the office and no one had any knowledge of us having any dealings with any company in PA.
Using netstat and knowing the IP address (217.160.242.233) we found the following entry. Note that this is VERY intermittent and I ended up running the command for a good 5 minutes before I noticed the IP address:
With the processid we were able to find the offending process (Ektron.ASM.EktronServices20.exe) in the Windows Server process list:
Time for a call to Ektron's customer support number:After about 30 minutes getting a net meeting set up and recreating the issue we found out that the Ektron.ASM.EktronServices20.exe is a legitimate process and that one (of were not sure yet how many) things it does is to convert MS word documents to PDFs.
You see why this might be a very BAD thing right? You know considering that there isn't a confidentiality agreement with the 'free' service provider and that all communication are in the clear or that we don't yet know everything that the process does... But don't worry Ektron will get back to me with a well documented list >not holding my breath<
The PDF conversion service can be 'turned off' by changing the Enabled attribute in a configuration file located in the C:\Program Files\Ektron\EktronWindowsService20 directory to FALSE:
<EktronServiceConfiguration defaultService="ManageContent">
<serviceProviders>
<add name="PdfFileRead" type="Ektron.ASM.EktronServices.PdfFileManagerRead.PdfFileManagerReadService, Ektron.ASM.EktronServices20" IntervalSeconds="101" Enabled="true" />
It appears that the Ektron service needs to be restarted for the changes to take effect.
No comments:
Post a Comment