Just this morning i noticed a huge lag on my internet connection at my work network. After rebooting the modem with no help i investigated the server.
lsass.exe was sending massive data outbound only. Upwards of 8Mb/second. To different ip address, one resolved back to france.protection-ddos.com.
I have not had any server setting changes in months. I haven't even logged on to the server in months, it's been doing it's job as it should with no interference, until this.
I updated my virus database and doing full scan now. To update my Virus database i tethered my phone to the server for an internet connection. The lsass data did not start on this connection, only the lan to cable modem connection. Scan is going to take hours so am letting my network off the internet for the night and hoping the scanner finds something upon my return in the morning.
Obviously i can't kill lsass so i have isolated the network temporarily. I'm assuming I've been compromised somehow.
I don't know why/how lsass is sending such large amount of data out of the network. Everything i googled is more talking about lsass.exe using alot of cpu, mine is not, only outgoing network. And yes it is LSASS.EXE same PID as the one doing the network authenticating.
Any input would be appreciated.
Stats:
Windows Server 2012 Essentials, all work 5 stations are Windows 7.