Strange traffic from Exchange Server - is this a virus/trojan or normal Exchange traffic?

My XP personal firewall log shows some strange entries from an
Exchange Server outside of my control.

I have read http://www.petri.co.il/ports_used_by_exchange.htm
but cannot find anything that can account for this traffic pattern.

Basically, it seems to hit an increasing number of ports between
10,000 and 65,000, then start over again. Takes a few days to
go through the whole range. Small sample below.

Source port is an increasing range. Destination ports are - among
others - 1108, 1518, 1091, 1082, 1088, 1067, 1191, 1306, etc.

Mind you, this is from within a corporate firewall.

Is this normal, and if so, what service could be causing it?

???

TIA,

Joergen Bech



---snip--- (source/dest addresses changed to protect the
innocent/guilty):
---snip---
#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port
size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
---snip---
2005-03-04 13:24:03 DROP UDP <src>.<src>.<src>.<src>
<dst>.<dst>.<dst>.<dst> 15404 1306 36 - - - - - - - RECEIVE
2005-03-04 13:24:03 DROP UDP <src>.<src>.<src>.<src>
<dst>.<dst>.<dst>.<dst> 15453 1306 36 - - - - - - - RECEIVE
2005-03-04 13:25:04 DROP UDP <src>.<src>.<src>.<src>
<dst>.<dst>.<dst>.<dst> 15569 1306 36 - - - - - - - RECEIVE
2005-03-04 13:25:04 DROP UDP <src>.<src>.<src>.<src>
<dst>.<dst>.<dst>.<dst> 15618 1306 36 - - - - - - - RECEIVE
2005-03-04 13:26:05 DROP UDP <src>.<src>.<src>.<src>
<dst>.<dst>.<dst>.<dst> 15793 1306 36 - - - - - - - RECEIVE
2005-03-04 13:26:05 DROP UDP <src>.<src>.<src>.<src>
<dst>.<dst>.<dst>.<dst> 15841 1306 36 - - - - - - - RECEIVE
2005-03-04 13:27:06 DROP UDP <src>.<src>.<src>.<src>
<dst>.<dst>.<dst>.<dst> 15932 1306 36 - - - - - - - RECEIVE
2005-03-04 13:27:06 DROP UDP <src>.<src>.<src>.<src>
<dst>.<dst>.<dst>.<dst> 15980 1306 36 - - - - - - - RECEIVE
2005-03-04 13:28:07 DROP UDP <src>.<src>.<src>.<src>
<dst>.<dst>.<dst>.<dst> 16066 1306 36 - - - - - - - RECEIVE
2005-03-04 13:28:07 DROP UDP <src>.<src>.<src>.<src>
<dst>.<dst>.<dst>.<dst> 16114 1306 36 - - - - - - - RECEIVE
2005-03-04 13:29:08 DROP UDP <src>.<src>.<src>.<src>
<dst>.<dst>.<dst>.<dst> 16200 1306 36 - - - - - - - RECEIVE
2005-03-04 13:29:08 DROP UDP <src>.<src>.<src>.<src>
<dst>.<dst>.<dst>.<dst> 16248 1306 36 - - - - - - - RECEIVE
2005-03-04 13:30:09 DROP UDP <src>.<src>.<src>.<src>
<dst>.<dst>.<dst>.<dst> 16356 1306 36 - - - - - - - RECEIVE
2005-03-04 13:30:09 DROP UDP <src>.<src>.<src>.<src>
<dst>.<dst>.<dst>.<dst> 16406 1306 36 - - - - - - - RECEIVE
2005-03-04 13:31:10 DROP UDP <src>.<src>.<src>.<src>
<dst>.<dst>.<dst>.<dst> 16502 1306 36 - - - - - - - RECEIVE
2005-03-04 13:31:10 DROP UDP <src>.<src>.<src>.<src>
<dst>.<dst>.<dst>.<dst> 16551 1306 36 - - - - - - - RECEIVE
2005-03-04 13:32:11 DROP UDP <src>.<src>.<src>.<src>
<dst>.<dst>.<dst>.<dst> 16638 1306 36 - - - - - - - RECEIVE
2005-03-04 13:32:11 DROP UDP <src>.<src>.<src>.<src>
<dst>.<dst>.<dst>.<dst> 16687 1306 36 - - - - - - - RECEIVE
2005-03-04 13:33:12 DROP UDP <src>.<src>.<src>.<src>
<dst>.<dst>.<dst>.<dst> 16792 1306 36 - - - - - - - RECEIVE
2005-03-04 13:33:12 DROP UDP <src>.<src>.<src>.<src>
<dst>.<dst>.<dst>.<dst> 16840 1306 36 - - - - - - - RECEIVE


0
Joergen
3/4/2005 1:21:29 PM
exchange.admin 57650 articles. 2 followers. Follow

3 Replies
280 Views

Similar Articles

[PageSpeed] 18

You can either use ETHEREAL network sniffer or some of utilities (like
TDIMON) from www.sysinternals.com to find what is going on. Also use the
Task Manager to check what processes are running.

"Joergen Bech @" wrote:

> My XP personal firewall log shows some strange entries from an
> Exchange Server outside of my control.
>
> I have read http://www.petri.co.il/ports_used_by_exchange.htm
> but cannot find anything that can account for this traffic pattern.
>
> Basically, it seems to hit an increasing number of ports between
> 10,000 and 65,000, then start over again. Takes a few days to
> go through the whole range. Small sample below.
>
> Source port is an increasing range. Destination ports are - among
> others - 1108, 1518, 1091, 1082, 1088, 1067, 1191, 1306, etc.
>
> Mind you, this is from within a corporate firewall.
>
> Is this normal, and if so, what service could be causing it?
>
> ???
>
> TIA,
>
> Joergen Bech
>
> ---snip--- (source/dest addresses changed to protect the
> innocent/guilty):
> ---snip---
> #Version: 1.5
> #Software: Microsoft Windows Firewall
> #Time Format: Local
> #Fields: date time action protocol src-ip dst-ip src-port dst-port
> size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
> ---snip---
> 2005-03-04 13:24:03 DROP UDP <src>.<src>.<src>.<src>
> <dst>.<dst>.<dst>.<dst> 15404 1306 36 - - - - - - - RECEIVE
> 2005-03-04 13:24:03 DROP UDP <src>.<src>.<src>.<src>
> <dst>.<dst>.<dst>.<dst> 15453 1306 36 - - - - - - - RECEIVE
> 2005-03-04 13:25:04 DROP UDP <src>.<src>.<src>.<src>
> <dst>.<dst>.<dst>.<dst> 15569 1306 36 - - - - - - - RECEIVE
> 2005-03-04 13:25:04 DROP UDP <src>.<src>.<src>.<src>
> <dst>.<dst>.<dst>.<dst> 15618 1306 36 - - - - - - - RECEIVE
> 2005-03-04 13:26:05 DROP UDP <src>.<src>.<src>.<src>
> <dst>.<dst>.<dst>.<dst> 15793 1306 36 - - - - - - - RECEIVE
> 2005-03-04 13:26:05 DROP UDP <src>.<src>.<src>.<src>
> <dst>.<dst>.<dst>.<dst> 15841 1306 36 - - - - - - - RECEIVE
> 2005-03-04 13:27:06 DROP UDP <src>.<src>.<src>.<src>
> <dst>.<dst>.<dst>.<dst> 15932 1306 36 - - - - - - - RECEIVE
> 2005-03-04 13:27:06 DROP UDP <src>.<src>.<src>.<src>
> <dst>.<dst>.<dst>.<dst> 15980 1306 36 - - - - - - - RECEIVE
> 2005-03-04 13:28:07 DROP UDP <src>.<src>.<src>.<src>
> <dst>.<dst>.<dst>.<dst> 16066 1306 36 - - - - - - - RECEIVE
> 2005-03-04 13:28:07 DROP UDP <src>.<src>.<src>.<src>
> <dst>.<dst>.<dst>.<dst> 16114 1306 36 - - - - - - - RECEIVE
> 2005-03-04 13:29:08 DROP UDP <src>.<src>.<src>.<src>
> <dst>.<dst>.<dst>.<dst> 16200 1306 36 - - - - - - - RECEIVE
> 2005-03-04 13:29:08 DROP UDP <src>.<src>.<src>.<src>
> <dst>.<dst>.<dst>.<dst> 16248 1306 36 - - - - - - - RECEIVE
> 2005-03-04 13:30:09 DROP UDP <src>.<src>.<src>.<src>
> <dst>.<dst>.<dst>.<dst> 16356 1306 36 - - - - - - - RECEIVE
> 2005-03-04 13:30:09 DROP UDP <src>.<src>.<src>.<src>
> <dst>.<dst>.<dst>.<dst> 16406 1306 36 - - - - - - - RECEIVE
> 2005-03-04 13:31:10 DROP UDP <src>.<src>.<src>.<src>
> <dst>.<dst>.<dst>.<dst> 16502 1306 36 - - - - - - - RECEIVE
> 2005-03-04 13:31:10 DROP UDP <src>.<src>.<src>.<src>
> <dst>.<dst>.<dst>.<dst> 16551 1306 36 - - - - - - - RECEIVE
> 2005-03-04 13:32:11 DROP UDP <src>.<src>.<src>.<src>
> <dst>.<dst>.<dst>.<dst> 16638 1306 36 - - - - - - - RECEIVE
> 2005-03-04 13:32:11 DROP UDP <src>.<src>.<src>.<src>
> <dst>.<dst>.<dst>.<dst> 16687 1306 36 - - - - - - - RECEIVE
> 2005-03-04 13:33:12 DROP UDP <src>.<src>.<src>.<src>
> <dst>.<dst>.<dst>.<dst> 16792 1306 36 - - - - - - - RECEIVE
> 2005-03-04 13:33:12 DROP UDP <src>.<src>.<src>.<src>
> <dst>.<dst>.<dst>.<dst> 16840 1306 36 - - - - - - - RECEIVE

0
kpalagin (1838)
3/4/2005 2:39:16 PM
Please Ultra Network Sniffer from
http://www.gjpsoft.com/UltraNetSniffer/ to check your network.

0
3/13/2005 2:21:23 PM
Joergen,

Did you ever figure this out? We're having almost the exact sam
symptoms. I
SPAN'ed our Xchange Srvr port and ran Ethereal to capture the data
but it 
basically told us what we knew .. that we have high numbered xchang
ports t
alking to random hosts we don't control (although the same ones appea
over 
and over) on the udp ports you mentioned below. The data payloa
consists of
8 bytes with a consistent Hex value of 90 28 90 02 cb 44 f9 77.

Anybody?

thanks - jaso

--
jevansau9
-----------------------------------------------------------------------
jevansau99's Profile: http://www.msusenet.com/member.php?userid=82
View this thread: http://www.msusenet.com/t-216718

0
4/28/2005 8:54:22 PM
Reply:

Similar Artilces:

Moving Mailbox and Cleanup Operation (Exchange 2003 SP1)
I am attempting to move a mail ox from one exchange server to another. Both servers are Exchange 2003. I've ran the move operation via the wizard and encountered some errors. As result the mail box was not moved. I've investigated the errors and found the to serious and now I'm attempting to move the mail box a second time. When I run the move operation via the wizard I get a HTML message as follows: After moving a mailbox, you must wait for a cleanup operation to complete before you can move it again. How do invoke the cleanup opearation manually? How do schedule ...

SBS 08 Premium
I've got a backup exec server, and apparently to be able to restore deleted/archived emails I need to be able to load the Exchange Management tools onto the BE server. I cannot find a way to load JUST the 64 bit Exchange Management Tools for 2007. There is a 32bit download available, but the 64 bit version says you need to install it from your Exchange 2007 media. Anyone have an idea how to get that out of the SBS 08 install disc? Hi Ryan, You should be able to download Exchange 2007 SP1 (64-bit) or Exchange 2007 SP2 (64-bit) and select just the Management Tools at the se...

Project Server 2007/WSS 3.0 Architecture
Hi, I am just looking for verification of what I think I know. 1. In a farm where the Project Server application is running on multiple servers, service requests coming from WFEs are routed to these servers round-robin by SharePoint. There is no way to use 3rd party load balancing software to control the traffic from the WFEs to the application servers. 2. Having multiple application servers running Project Server can provide more throughput, but is not truly fault-tolerant since a malfunctioning application server will still be sent service requests until it is removed fro...

Log Resets from Automatically Grow to Fixed Size in SQL Server 200
In SQL Server 2005, changed the log for the CRM database from a fixed size to automatically grow, saved changes, went back into SQL Studio, and was set to fixed size again. Need to be able to save this change and make it effective. -- Thanks, Justin ---------------- This post is a suggestion for Microsoft, and Microsoft responds to the suggestions with the most votes. To vote for this suggestion, click the "I Agree" button in the message pane. If you do not see the button, follow this link to open the suggestion in the Microsoft Web-based Newsreader and then click "I Ag...

Demote Exchange 2003 on DC
Hi, The Exchange 2003 server that was setup where I work was configured as a DC. The problem I have been having is finding a solution to move it off a DC back to a member server as it should be. I believe the recommended solution is get a new box and then move exchange to the new one and then remove Exchange off the old box and then demote it. Would it be possible to backup Exchange, uninstall it off the primary box and then demote the box. Once demoted then reinstall Exchange and then restore the backup. I'm not 100% sure this will work and its probably hugely risky. If anyone h...

Reinstall Exchange Server #2
We have an Exchange Organization which had a 5.5 server and a 2003 server. We'd moved only 2 mailboxes to the 2003 server when it crashed. There was no backup. Fortunately, we were able to copy all the files off that 2003 server. There are 2 issues right now: The first is the mailboxes that were on that 2003 server. It would be really nice to get that data back, but it's not priority #1. The second issue is that our 5.5 server runs Internet Mail Service, so all inbound messages are being queued up on the 5.5 server bound for the 2003 server (400 and counting). What we would l...

Exchange Running on Domain Controller
Cannot move mailboxes between stores from a server acting as DC or GC with Exchange installed. Standalone server in domain, running EXCH, with administrator rights on server, all moves can be done, even select that ADM Group where the Integrated server (exch and DC) reside and can perform moves. Logon locally on the Integrated server, does'nt work. read some docs, find that you have to be local admin of server or wrokstation where GUI is installed and run. With the move of mailboxes, it creates a dynamic MAPI profile. Where? Reason, if providing rights to that folder where the MAPI profile...

Cached Exchange Mode and .ost files
Hi everyone, When you activate cached exchange mode, the .ost file get automatically saved into C:\document and settings\user\Local Settings\etc\etc\. How can you change this default location to something else (so that it can be captured in a directory under a roaming profile in Windows 2000/2003? Also if the local hard disk (where .ost file is stored) get corrupted, how can you start Oulook (it looks for the .ost file). Hekp much appreciated. Patrick I don't see the point in capturing this in a roaming profile. It will just make the profile larger and take longer to load and p...

How do I remove downloaded messages from server with WLM?
When I go to Tools/Accounts/Mail/Properties, I don't have a Advanced tab to uncheck - Leave a copy of message on the server. What else can I do? Windows 7 Home Premium WLM: Ver 2009 (Build 14.0.8050.1202) I'm not sure whether you cannot find an Advanced tab in your mail account properties - or whether the 'Leave a copy of message on the server' option is missing. I will try to address both problems. Firstly, you must select the name of the mail account, BEFORE you click on 'Properties'. If you are using WLMail to download messages from a POP3 o...

Filtering on Exchange
I have set up my Exchange server with Connection, Sender ID and Intelligent Message Filtering enabled. I have an e-mail address that is being blocked due to the settings of the Intelligent Message Filtering (was set to SCL level 3). I increased the SCL level to 5 and it is still being filtered out. I don't really want to increase the SCL level any higher because it is filtering out a good chunk of SPAM. Is there a way to add the e-mail address to a "safe sender list" in Exchange by e-mail address instead of IP address? I tried adding several IP addresses, which I thought were...

"SOAP Server Application Faulted" Error Message
Has anyone seen this message: "ErrorMessage: The request failed with HTTP status 401: Access Denied.Source: System.Web.Services" I am trying to create an account using ASP.Net with the following code: Dim myCred As New NetworkCredential("xxxx", "yyyy", "domain") 'strServer should be set with the name of the platform Web server Dim strServer As String = "crm01" 'strVirtualDirectory should be set with the name of the Microsoft CRM 'virtual directory on the platform Web server Dim strVirtualDirectory As String = "mscrmserv...

Coniguring an additional domain on exchange server
I want to configure a second domain to my existing exchange server so that people can send and recieve e-mail from both the domains. Note: I have already pointed the mx record to the second Domains Ip address Version of Exchange? Fabio Barriga wrote: > I want to configure a second domain to my existing > exchange server so that people can send and recieve e-mail > from both the domains. > > Note: I have already pointed the mx record to the second > Domains Ip address What version of exchange? >-----Original Message----- >What version of exchange? >. &g...

Microsoft Exchange Information Store on E2k7 passive node
Greetings, We have 4 Exchange 2007 CCR clusters in our environment. The service startup type for the Microsoft Exchange Information Store has automatically been set to "Manual" - we know this is ok. We now see that the service is started on 2 of our passive nodes & stopped on the 2 other passive nodes. Should this service be started or stopped on the passive node? Would greatly appreciate if somebody could point me to a MS article for this... Thanks! Is it causing you any problems? -- Ed Crowley MVP "There are seldom good technological solutions to ...

Mail keeps repeating on exchange 2K3 server
Hi all, I have a very strange problem with exchange 2K3 running on an SBS2003 server. They are receiving mail through SMTP and via the POP3 connector. A user did send a mail to three recipients: one internal, one also internal but to the address that is triggered via the pop3 and one to an external user. He mistyped the address of the external user and so he received an NDR report that the address was incorrect. -- No problem so far-- As from that moment, every 15 minutes, the user receive this NDR again and also the second internal user receive the mail every 15 minutes. I can't f...

how to configure exchange server????
Hello I'm running Exchange 2003 on Windows 2003 Enterprise server. I am looking at installation and configuration exchange server for 150 users in our organization. I am looking at installation, configuration and setup all user mailbox in the same server. Below is server hardware configuration: Intel Xeon 3.2 GHz (2 Processors) 6 GB ECC SDRAM 2 x 73.4 GB � Operating Systems 2 x 73.4 GB � Transaction Logs 6 x 73 .4 GB - (4 data, 1 parity and 1 hot swap) Domain Registration done by ISP. I have been researching some documentation on installation and configuration exchange server an...

Public Folders in Exchange 2003
Hi Folks, When I use the Exchange System Manager to view public folder in Exchange 2003, I receive this error message: The SSL certificate server name is incorrect. ID no: c103b404 Exchange System Manager I have Windows 2003 SP1, Exchange 2003 SP2 No log erros Microsoft has the KB324345 for this problem, but didn't fix mine. http://support.microsoft.com/?id=324345 I hope someone has more information about it. Thanks Marcio, I had a similar problem when I installed OWA(ssl). If you are certain that the ssl cert. name is correct, check permissions in iis: Default Web-authentication-c...

exchange security
Whats the best way to secure your exchange 2k server. Is there anice guide available There is some info here: http://www.nsa.gov/snac/win2k/download.htm http://www.microsoft.com/exchange/techinfo/security/2000.asp -- Mark Fugatt Exchange MVP http://www.exchangetrainer.com http://www.msexchange.org "Matt" <administrator@unilin-us.com> wrote in message news:e1ab01c3eff5$a685abf0$a501280a@phx.gbl... > Whats the best way to secure your exchange 2k server. Is > there anice guide available ...

Exchange W2k3 : mails send but not by user
Hi, We're having problems with our exchange 2003. Something is sending mail using our mailserver. Mails are send internal and external, and ofcourse we get listed in spamlists. Only authenticated users can use our mail server. I've checked the whole network for virusses ..... everything is clean but the problem is still not solved. Is there someone who can give me some advise. This are the internetheaders from an internal mail, and the user did not send the mail. Maybe bassed on this info it's easier to give some help Microsoft Mail Internet Headers Version 2.0 Received: from k...

Dial-up/Cached exchange mode fault
Our system is running outlook2003/Exchange server 2000. One of our systems dial-up users (56k modem) in having problems. We use cached exchange mode which tends to work very well for the majority of users. This user has a particular large mailbox- some 700mb, about 5000 items of email(complicated folder structure too).She is trying to synchronise this over dial-up. We are finding it works for a week or two before when dialled up then she starts getting severe problems , outlook freezes, synchronization hangs without completing and other faults. I've found a new outlook profile will ...

Exchange breaks connetion with Domain Controller
For the last 3 weeks my exchange server keeps dropping the connection with my domain controllers. The following are some of the errors in the event log. Process MAD.EXE (PID=880). All Domain Controller Servers in use are not responding: dc-02.sapc.edu dc-01.sapc.edu ---------------------------------------------------------------- This computer was not able to set up a secure session with a domain controller in domain SAPC due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this c...

Normalize (or normalise depending on US/UK...)
I have some data from different graphs that I need to normalise. I have taken a look through some of the other questions posted, but none of the answers fit my work. I have data (see example below) that plots grey scale against distance. I need to normalise the greyscale data so that I can compare different data sets (long explanation of why). Basically, the max needs to be 1 and the min 0. Is it possible to construct a formula to do this, or is there one already that I have missed? Aj ums Gray Level 0 282 0.0757216 280 0.1514433 328 0.227165 377 0.3028866 415 0.3786083 535 0...

Server Error in '/MacOffice' Application
Below is message I received today. How can I fix it? Server Error in '/MacOffice' Application. Object reference not set to an instance of an object. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.NullReferenceException: Object reference not set to an instance of an object. Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the o...

Way to change outgoing mail server details automatically?
I work in the office half the week and at home the rest, i use 3 pop3 email accounts in outlook 2003, i want to receive mail from all three email accounts but only really need to send out via one email account, at the moment i'm manually changing the SMTP server details to send email via my home broadband connection when i work from home and vice versa when back in the office. Is there anything i can do to set up this automatically? What happens when you try to send without changing the configuration? It could be that it would already work when you enable authentication for ...

CRM 1.2 Security Service Startup with SQL Server Named Instance
I am running into the typical Security Service startup issue with the SQL Server installed on the same system as the CRM Server. I have attempted doing the crmsecurityservice -u which does properly unregister the service. Re-registering the service with a crmsecurityservice -r -s does re-register the service. However, it does not add the SQL service dependency on the named sql service instance. There is no unnamed SQL Service instance on the system. I did not see an option in the command line for specifying a name for the sql service; how do I properly setup the dependency? (Or even impro...

Problem go to native mode Exchange 2000
Try to change to native mode for Exchnage 2000 but can�t decommision last Exchange 5.5 server. Followed the steps from Microsoft Knowledge Base Article - 284148 (http://support.microsoft.com/kb/284148) but can't see the 5.5 server from the Exchange Server 5.5 Administrator connected to exchange 2000 server. Found the follwing on (se below for accepted answer): http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_20478211.html Which seems to be good solution but when presented this manual remove to a consult he said that we could get problem to create a new post...