Lot's of connections on port 25 (Full Version)

All Forums >> [Microsoft Exchange 2000] >> Server Security


ono -> Lot's of connections on port 25 (8.Mar.2007 8:13:15 AM)

I'm experiencing a lot of connection requests from my host high ports to the same computer's port 25 (Exchange is listening there). My guess is that i've got myself a worm - has anyone encountered this - how can i figure out which one is it and how to remove it ?


jassyca -> RE: Lot's of connections on port 25 (20.Mar.2007 2:14:16 PM)

Did you ever find an answer for this problem? If not.. I want to make sure I've got this right. You are seeing a lot of connections from your server to its own port 25, yes? What tool did you use to see that? Also, do you have any antivirus software installed on your server? Since this is an Exchange server, I do want to mention that sometimes the AV that protects your users' mailboxes will not also protect the server, itself, from local attacks. Those are two different things, you see. So an AV scanner has two completely different types of things to scan or protect: mailboxes vs. local server. I know some admin's won't install a local AV because it can cause problems for Exchange if the AV tries to scan the MDBData directory(ies). But that can mean their mailboxes are protected yet the server is unprotected. Instead, to avoid problems, I believe most antivirus scanners have options so you can configure it such that will not scan your Exchange data directories (MDBData) and you also don't want it scanning the server's M: drive.

If your server is truly infected, you've got two options: 1 - scan the server with an antivirus scanner (with the scanner configured so it skips the above mentioned drives and directories) or, 2 - wipe the server and restore from backup. It's a heckuva lot easier to scan it with an AV than it is to restore the server from backup. Besides, unless you're exceedingly lucky and know exactly when it became infected, you don't know whether the backup is clean or infected too. And what's to stop a worm from immediately re-infecting your server two minutes after you're done with the restore, eh?

Once you've got your Exchange server running clean, the next thing you ought to start thinking about is: how did it become infected? Do you need to take a second look at your firewall rules? Did something sneak in that way? Or could there be a computer inside your network that brought the infection in? For instance, a laptop. Or maybe it got in through a desktop computer because someone using that desktop downloaded and installed something "cool" they found on the internet, not knowing it was infected.

Let us know what you find.

ono -> RE: Lot's of connections on port 25 (3.Apr.2007 2:31:11 PM)

Yes that is right; i've used tcp view to figure out the problem - i became aware of it when the system stopped responding for short periods of time (logging in locally sometimes took up to 5 minutes).

At that moment the server ran no firewall and no AV. I've installed Symantec Antivirus shortly after, scanned the system and nothing - i've also dug up some worm scanner tools and tried them - but the system was reported clean. Afterwards i've also bought ISA Server and everything is working as before now.

I couldn't figure out what happened there - but things got better without backing up.

10x for the reply - if there's anything interesting in this i'll gladly help you with the details, otherwise if everything will work fine i consider the topic closed.

PS: There are no intrusion signs on the system or on the local network
Best of luck!

jassyca -> RE: Lot's of connections on port 25 (3.Apr.2007 3:37:08 PM)

Drat.. too bad scanning with an antivirus and all the rest did not find the culprit. A part of me wonders if something was trying to do a Denial of Service on your Exchange server. Lots and lots of junky connects to port 25 is awful suspicious. For instance, suppose this is a bad guy and he connects to your server, acting like a mail server with a message for you, then never does anything more. There's a connection wasted with your server waiting waiting waiting. But he could connect again.. and again and again. Until he uses up all of the available connections for your Exchange server and it's sitting there waiting for responses that will never come. Meantime, legit servers can't connect because your server doesn't have any connections that aren't "in use". (That's what "denial of service" means. It can't provide the requested service because of some type of problem.)

I also wonder if Mr. Bad Guy might've been spoofing your server's IP so the poor thing thinks it's waiting for a response from "itself" when that really wasn't true.

You see what I'm saying?

If that's the case, I suppose the next question is why? Why pick on your server? Although I've a vague memory that Microsoft released a couple of hotfixes after the last Exchange service pack that was supposed to take care of an issue if someone tries to deliberately crash part of Exchange with a specifically badly formatted packet(s). Or something like that.. hmm..

Glad you have ISA server now to protect your poor Exchange server. There's a lot of good help available over at isaserver.org message boards.

Page: [1]