Odd traffic generated from Exchange Server

From: Caruso, Anthony J. (acarusoat_private)
Date: Wed Oct 24 2001 - 09:53:09 PDT

Next message: Ryan Hill: "RE: Odd traffic generated from Exchange Server"

Previous message: Remco B. Brink: "Re: securitynewsportal.com hacked"
Next in thread: Ryan Hill: "RE: Odd traffic generated from Exchange Server"
Reply: Ryan Hill: "RE: Odd traffic generated from Exchange Server"
Reply: Portnoy, Gary: "RE: Odd traffic generated from Exchange Server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi All:

Outbound ACLs on my router has started picking up traffic originating from
one of my Exchange boxes:

Oct 23 10:12:18 router1 list 101 denied udp 10.1.1.1(2643) ->
192.50.50.51(1046)

The source port is usually different and the destination port oscillates
between 1046 and 1171.  The traffic occurs about every 15 min in quick
bursts (incremental source ports), I am running a sniff now.

Any ideas?

Exchange 5.5 Sp3, NT 4.0SP6a no additional patches.  Internal RFC 1918
addressed Exchange server.

I am putting out an altogether different fire right now, but I will post
traces as I get more info.

Thanks.
-Tony

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ryan Hill: "RE: Odd traffic generated from Exchange Server"
Previous message: Remco B. Brink: "Re: securitynewsportal.com hacked"
Next in thread: Ryan Hill: "RE: Odd traffic generated from Exchange Server"
Reply: Ryan Hill: "RE: Odd traffic generated from Exchange Server"
Reply: Portnoy, Gary: "RE: Odd traffic generated from Exchange Server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 24 2001 - 10:02:20 PDT