* IIS7, Windows Server 2008 R2.
* Approximately 50 sites, each one has it's own process and logging
* PRTG (Free) is installed and setup to monitor traffic and activity, notifications are emailed when odd activity is found.
* Sites are setup using Microsofts WSP (Web Server Panel) and I am the only one with access to that CP.
Aside from the automated monitoring, I also run manual daily routines to make sure everything looks fine.
The Problem:
Saturday Feb 28th I noticed a problem that started on the 27th. My network traffic was much higher than normal - about three times higher for a typical day. Over the next few days I have monitored PRTG and noticed that once a day (but not at the same time each day) for about 4 hours I have a huge spike in WWW network traffic. WWW in PRTG monitors port 80 and port 443.
When viewing PRTG reports, normal WWW traffic averages 5MB - 10MB traffic every 5 minutes during regular hours.
During a problem period, WWW traffic averages 100MB - 125MB every 5 minutes.
A data usage report from WSP indicates that NO SITE is using an abnormal amount of network resources.
When viewing the task monitor in Windows - Under normal conditions, network traffic measures UNDER 1% sustained, and peaks for moments yet when viewing network traffic during a problem period - it sustains at 5% and peaks much higher. This is on a 100Mbps connection.
TESTS
1: A server reboot appears to stop the traffic and it does not return until it's next cycle.
2: Stopping IIS7 stops the traffic but when restarting IIS7 right away the traffic resumes.
3: Even manually stopping EVERY SITE on the server, the network traffic still exists.
Based on that - the HTTP traffic exists through IIS7, but not through a particular website. This puzzles me. It's as though someone may be using IIS7 as a proxy, but I don't recall setting it up as such, nor do I know if it's even possible.
Any suggestions on what to look for?
Also: PRTG allows me to see network usage, but it does not show the IP's accessing, or what they are specifically accessing. Is there anything built into the server that allows this. Kindly keep in mind ... it's Server/IIS access I want to see since the sites log files do not show anything abnormal.