Security Incidents mailing list archives

Odd traffic generated from Exchange Server

From: "Caruso, Anthony J." <acaruso () fna com>
Date: Wed, 24 Oct 2001 11:53:09 -0500

Hi All:

Outbound ACLs on my router has started picking up traffic originating from
one of my Exchange boxes:

Oct 23 10:12:18 router1 list 101 denied udp 10.1.1.1(2643) ->
192.50.50.51(1046)

The source port is usually different and the destination port oscillates
between 1046 and 1171.  The traffic occurs about every 15 min in quick
bursts (incremental source ports), I am running a sniff now.

Any ideas?

Exchange 5.5 Sp3, NT 4.0SP6a no additional patches.  Internal RFC 1918
addressed Exchange server.

I am putting out an altogether different fire right now, but I will post
traces as I get more info.

Thanks.
-Tony

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Odd traffic generated from Exchange Server Caruso, Anthony J. (Oct 24)
- <Possible follow-ups>
- RE: Odd traffic generated from Exchange Server Ryan Hill (Oct 24)
- RE: Odd traffic generated from Exchange Server Portnoy, Gary (Oct 24)