Link to home
Start Free TrialLog in
Avatar of diablo-26
diablo-26

asked on

Question about netstat.exe and store.exe on our exchange server

We've had a lot of SPAM e-mail and I've wondered if it was a machine on our school network or something on our server maybe.

I ran netstat -b and found a new connection opening almost every second from 10.1.4.73.  This is within our DHCP pool range, but I cannot ping it, there is no response.   Should I maybe block all traffic from LAN to LAN from this IP to our exchange server?  

Every second it changes it's port that it's coming from, 10.1.4.73:2748, then 10.1.4.73:2500, etc... which seems suspicious.    It's all talking with store.exe

Is this some kind of a SPAM bot somewhere in our school?  It's summer so most of the machines are shut off at this point.  And I can't ping it so it might be hard to find...

Any ideas?

Thanks,

M.
Avatar of diablo-26
diablo-26

ASKER

Just to show you what I see when I run a Netstat -b, this just keeps going and going.
The IP of the exchange server is 10.1.1.30 by the way...

TCP    MS-EXCHANGE2003:2644   10.1.4.73:2483         ESTABLISHED     4888
[store.exe]

TCP    MS-EXCHANGE2003:2644   10.1.4.73:2560         ESTABLISHED     4888
[store.exe]

TCP    MS-EXCHANGE2003:2644   10.1.4.73:2613         ESTABLISHED     4888
[store.exe]

TCP    MS-EXCHANGE2003:2644   10.1.4.73:2510         ESTABLISHED     4888
[store.exe]

TCP    MS-EXCHANGE2003:2644   10.1.4.73:3140         ESTABLISHED     4888
[store.exe]

TCP    MS-EXCHANGE2003:2644   10.1.4.73:2801         ESTABLISHED     4888
[store.exe]

TCP    MS-EXCHANGE2003:2644   10.1.4.73:2724         ESTABLISHED     4888
One more thing, I noticed in the windows firewall on the server that is was turned off, should this be on a server?  Also noticed that in the Exception list there is something listed as just ENABLE using TCP Port 1940.

Just ENABLE doesn't really fit in with the other services listed there, but I am running GFI Mail Essentials and GFI Mail Security, do these programs maybe open up that port?

Thanks,

M.
Hmmm.. if I turn on the windows firewall on the server we lose internet access from any machine in the building.

This server is our Exchange / DNS / Web Server and Domain Controller.

M.
I also blocked access from 10.1.4.73 to 10.1.1.30 using our Sonic Wall, but no luck, connections just keep coming.

M.
Avatar of Nitin Gupta

Hi,
  • If you are really suspicious about that IP (10.1.4.73), then easiest thing would be first to Block it in your Virtual SMTP Connector setting, while you can go ahead and test what that IP address is.
  • Well, go ahead and check SMTP Logs and see what the message is all about. Maybe from the contents you would be able to find out whether you have some server with some appln that might be sending some alerts/notifications etc.
  • We would need to know the details, before we can say is it SPAM bot etc etc.
  • The port 1940 is for JetVision Client. JetVision would be for your voice network. I am not sure whether you would want to touch that.
Hope this helps to start with.
Thanks
Nitin
Okay I will check the logs... we don't have a voice network at all.  You mean like VOIP?

M.
Not sure but from my basic looking around it seems it could also be W32.Opanki a Win32 worm
http://www.symantec.com/security_response/writeup.jsp?docid=2005-061516-4529-99
http://www.pspl.com/virus_info/worms/opanki.htm
Do look at that. !!
First things first see if you can find that IP....do yuo have a DHCP or static IPs..
Okay I blocked 10.1.4.73 in the virtual SMTP settings.  But it's still coming...

Is the traffic inbound to the mail server or outbound?  Should I block traffic coming from the mail server or to it?  Could this be a root-kit on the server itself and the 10.1.4.73 is like a mini server the root kit has setup?

M.

 TCP    MS-EXCHANGE2003:2644   10.1.4.73:2963         ESTABLISHED     4888
 [store.exe]

 TCP    MS-EXCHANGE2003:2644   10.1.4.73:2425         ESTABLISHED     4888
 [store.exe]

 TCP    MS-EXCHANGE2003:2644   10.1.4.73:2569         ESTABLISHED     4888
 [store.exe]

 TCP    MS-EXCHANGE2003:2644   10.1.4.73:3506         ESTABLISHED     4888
 [store.exe]

 TCP    MS-EXCHANGE2003:2644   10.1.4.73:2702         ESTABLISHED     4888
 [store.exe]

 TCP    MS-EXCHANGE2003:2644   10.1.4.73:2532         ESTABLISHED     4888
 [store.exe]

 TCP    MS-EXCHANGE2003:2644   10.1.4.73:2779         ESTABLISHED     4888
 [store.exe]

 TCP    MS-EXCHANGE2003:2644   10.1.4.73:2652         ESTABLISHED     4888
 [store.exe]
ASKER CERTIFIED SOLUTION
Avatar of Nitin Gupta
Nitin Gupta
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
No registry entries or matching files leading to the Opanki worm...
Nothing in startup that looks suspicious either after running MSConfig.
Northing in registry under Run or RunOnce or RunServices either...

Will check the DHCP and see if I can see where that IP is.
Yes you got to check that IP and search for Opanki there :-)
Hehehe it's our high school principal's computer...  I will have to check it tommorow...

Hahahaha all the best .... trust me I almost fell off the chair...
Hmm no trace of Otapi on his machine either or any malware for that matter... not sure where that was coming from.

He does have Skype running on his PC and NOD32.  I also ran Trojan Remover and it came out clean... I don't know...

M.
lets keep it under observation for a day or two....let me know if you find something... :-) !
I would be keen to work on it with you...
I'll let you know...