Unexpected mail from NT4 to firewall?

I hope someone still answers NT4 server questions here. Please let me know
if there is a better place to post this.

I am running an old NT4 SP6 installation, with ExchSvr 5.5

For some unknown reason something starts trying to send network traffic
(mail?) from the servers (192.168.55.6) port 25 to some apparently arbitrary
port on my firewall (192.168.55.199). After a reboot of the server I start
seeing syslog entries from the firewall saying that it is blocking this
connection attempt. The server is running the latest version of symantec
AV. Otherwise I might think this is a virus of some sort. Between noon
Saturday and 9am Monday, the system generated 26,000 of these messages.

How can I go about finding out what task/program is generating this traffic?


Scott
ExoTech R&D, Inc.

I like Active Ports, it runs in real time (you can adjust the refresh
rate)and shows Process Name, Process ID, Local IP and Port, Remote IP and
Port, Protocol, State, and the full path to the .exe. And you can kill the
process right from the UI (even if it is running under svchost.exe), it will
output the screen to a text file so you can create a record, and it's
freeware.
http://www.ntutility.com/freeware.html

"Not Really Me" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I hope someone still answers NT4 server questions here. Please let me
know
> if there is a better place to post this.
>
> I am running an old NT4 SP6 installation, with ExchSvr 5.5
>
> For some unknown reason something starts trying to send network traffic
> (mail?) from the servers (192.168.55.6) port 25 to some apparently
arbitrary
> port on my firewall (192.168.55.199). After a reboot of the server I
start
> seeing syslog entries from the firewall saying that it is blocking this
> connection attempt. The server is running the latest version of symantec
> AV. Otherwise I might think this is a virus of some sort. Between noon
> Saturday and 9am Monday, the system generated 26,000 of these messages.
>
> How can I go about finding out what task/program is generating this
traffic?
>
>
> Scott
> ExoTech R&D, Inc.
>
>
>

Gino wrote:
> I like Active Ports, it runs in real time (you can adjust the refresh
> rate)and shows Process Name, Process ID, Local IP and Port, Remote IP
> and Port, Protocol, State, and the full path to the .exe. And you can
> kill the process right from the UI (even if it is running under
> svchost.exe), it will output the screen to a text file so you can
> create a record, and it's freeware.
> http://www.ntutility.com/freeware.html
>
> "Not Really Me" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> I hope someone still answers NT4 server questions here. Please let
>> me know if there is a better place to post this.
>>
>> I am running an old NT4 SP6 installation, with ExchSvr 5.5
>>
>> For some unknown reason something starts trying to send network
>> traffic (mail?) from the servers (192.168.55.6) port 25 to some
>> apparently arbitrary port on my firewall (192.168.55.199). After a
>> reboot of the server I start seeing syslog entries from the firewall
>> saying that it is blocking this connection attempt. The server is
>> running the latest version of symantec AV. Otherwise I might think
>> this is a virus of some sort. Between noon Saturday and 9am Monday,
>> the system generated 26,000 of these messages.
>>
>> How can I go about finding out what task/program is generating this
>> traffic?
>>
>>
>> Scott
>> ExoTech R&D, Inc.

Thanks. That did a good job of identifying that Exchanges imc was attached
to port 25, so I stopped it. Unfortunately the traffic from port 25 did not
stop. I then one a time stopped every other service that NT would let me
stop (all except RPC Server and Event Log). The traffic still persisted.

Active ports showed only 7 or 8 remaining port connections and none were on
port 25.

Any other suggestions?
--
Scott
ExoTech R&D, Inc.

You say the server is running the latest version of Symantec AV,
Are the Virus Definitions also latest?
Also it could be a client which is infected, are the cleints also with
latest version of AV and recent virus definitions?
(the mail server, while relaying maila uses many other ports
and not only 25)

sharad.
"Not Really Me" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I hope someone still answers NT4 server questions here. Please let me
know
> if there is a better place to post this.
>
> I am running an old NT4 SP6 installation, with ExchSvr 5.5
>
> For some unknown reason something starts trying to send network traffic
> (mail?) from the servers (192.168.55.6) port 25 to some apparently
arbitrary
> port on my firewall (192.168.55.199). After a reboot of the server I
start
> seeing syslog entries from the firewall saying that it is blocking this
> connection attempt. The server is running the latest version of symantec
> AV. Otherwise I might think this is a virus of some sort. Between noon
> Saturday and 9am Monday, the system generated 26,000 of these messages.
>
> How can I go about finding out what task/program is generating this
traffic?
>
>
> Scott
> ExoTech R&D, Inc.
>
>
>

Yes, all have the latest virus definitions. I know that other ports could
be used, but it is the firewall that is identifying the source as port 25.
When I have a chance I will hang a sniffer on the network and try to
identify the contents of the packet. I'm not sure I expect to get much
information from this, but maybe I can tell if it is actually part of an
smtp transfer.


"sharad" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> You say the server is running the latest version of Symantec AV,
> Are the Virus Definitions also latest?
> Also it could be a client which is infected, are the cleints also with
> latest version of AV and recent virus definitions?
> (the mail server, while relaying maila uses many other ports
> and not only 25)
>
> sharad.
> "Not Really Me" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > I hope someone still answers NT4 server questions here. Please let me
> know
> > if there is a better place to post this.
> >
> > I am running an old NT4 SP6 installation, with ExchSvr 5.5
> >
> > For some unknown reason something starts trying to send network traffic
> > (mail?) from the servers (192.168.55.6) port 25 to some apparently
> arbitrary
> > port on my firewall (192.168.55.199). After a reboot of the server I
> start
> > seeing syslog entries from the firewall saying that it is blocking this
> > connection attempt. The server is running the latest version of
symantec
> > AV. Otherwise I might think this is a virus of some sort. Between noon
> > Saturday and 9am Monday, the system generated 26,000 of these messages.
> >
> > How can I go about finding out what task/program is generating this
> traffic?
> >
> >
> > Scott
> > ExoTech R&D, Inc.
> >
> >
> >
>
>