Link to home
Create AccountLog in
Avatar of Robert Berke
Robert BerkeFlag for United States of America

asked on

smtpsvc trying to connect to suspicious ip address "SMTP could not connect"

As part of our monthly disaster test, I restored our SBS 2003 server onto a duplicate server in my attic.

The test worked fine, except I noticed some warnings in the event log.  
Now, most of the warnings are to be expected.  For instance, my attic backup server cannot really function as a domain server because the production server i s elsewhere.


But, there was one event id that had a very strange IP address.
Actually 2 suspicious eventids repeat about ever 100 minutes.  There is no system failure so normal forums like eventid.net are not being very helpful, so I need some advice.

first event
source:smtpsvc
eventid:2013
smtp could not connect to any DNS server.

That is strange, because my attic server is connected to the internet using time warner road runner, and most things works fine.

second event

source: smtpsvc
eventid: 2012
SMTP could not connect to the DNS server 19.169.16.2.  The protocol used was 'UDP'. It may be down or inaccessible.



nslookup shows the following
nslookup 19.169.16.2
Server:  dns-cac-lb-01.rr.com
Address:  209.18.47.61
DNS request timed out.
    timeout was 2 seconds.
*** Request to dns-cac-lb-01.rr.com timed-out



A whois on the IP address says tehcnical contact is dnsadmin@ford.com with whom we have absolutely no ties. Also, a whois on ford.com shows technical contact of dnsmgr@ford.com. Note the slight difference in names


A regedit search reveal controlset001 has a tcp interface
5d3e2539 49b5 4559 8f26 539BDFA7BE44 with NameServer value 19.169.16.2

I went to the production server and did not find any SMTPSVC events, so I think this may simply be some weirdness assocated with using road runner in my attic.  In particular, the rr.com SERVERer address shown from nslookup.

But, the weird IP address still bothers me.

Does anybody have advice? Am I wasting my time worrying about this?
ASKER CERTIFIED SOLUTION
Avatar of younghv
younghv
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Forgot to say - run TDSSKiller - then monitor for a repeat of the event.
Avatar of Robert Berke

ASKER

ran tdsskiller. It said it found nothing.

Ran rogue killer.  it found 700 errors but only would kill 100 unless I paid money.

Of course, most of those errors are not really errors - just innocent activex components etc.

So, I deleted internet history cache etc and reran it hoping to catch another 100.

A second call did NOT delete another 100, in fact, even though it went through the same scan program and ran for two minutes it found 700 and said it would kill 100.  Sounds like it is not really working on my server.

But, it has been two hours now and no further logs.


so, one of the two programs or my own cleanup  seems to have fixed something.

I am going to restore the computer one more time so that the problem is back, then try simply deleting cache and program files.  That will take the rest of the day, I will post me results



rberke,
Glad you're making progress - but to clarify:

"RogueKiller" is an entirely free program - no fees of any kind, no matter what it finds.
I am in daily contact with the developer and he is only trying to get exposure for his application. You can 'donate' (PayPal) if you like it, but it is completely free.

I have never seen heard of Kaspersky charging for TDSSKiller either.

Please check and let me know for sure which program is asking for money...it actually sounds like you have some kind of 'scareware' running on there.

Both CCleaner and Malwarebytes are good for Server OS's, so take a look at this one and give them a try:
https://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)

When finished with MBAM, post the log that is generated and let us look at it for you.
Both products were free.
thanks to your last comment, I dd not have to try another restore.

Instead, I repeated the download and discovered that I had accidentally clink the wrong link when downloading rogue killer and got aro 2011  from sammsoft.com (I had to ignore the french language dowload page, luckily, the program ran in English.  

I downloaded and ran scan with the correct rogue killer and it produced a short report (20 lines)

sure enough it caught two registry entries with 19.169.16.2.

I next ran a delete and it said 19.169.16.2 not removed run dnsfix.

I next ran dns fix and it replaced nameserver with blank. So, that fixed my attic backup computer.  

I then ran it on the production machine and it DID NOT FIND ANY SUCH ADDRESS !!!!
I used regedit on production server and discovered nameserver parameter was 192.168.16.2 which is the servers local network NIC IP address.

So, where the heck did 19.168.16.2 come from? i rebooted the attic machine. before login I got a message that one service was disabled. The system event log showed that it was the Microsoft Exchange Information Store.  We have exchange installed but we are not really using it.

So, now I am really confused. WHERE THE HECK DID THIS IP ADDRESS COME FROM.  I am going to restore attic from same backup I used before, only this time it will NOT be connected to any network.  (the last restore occurred while attic server was connect to time warner.   I will post results
The comment about ignoring french applied to rogue killer, not aro 2011. sorry i typed it in the wrong place
That French stuff threw me too (for RogueKiller). I swap email with the developer every day and his English is better than mine (not saying much), but so far he is resisting my requests for an English language Forum/Help Page.

It is a brand new product that looks promising - time will tell.

I'll keep monitoring this for any updates.
Well, that's another 2 hours of my life I will never get back.

Sorry to have wasted your time, but it turns out I typed that stupid address myself ! ! !

If you want to see how I got egg on my face, read on. Otherwise, here are your points.


I did not mention it previously, but 3 days ago I was trouble shooting a problem. Every time I tried to change the INTERNET NIC tcp/ip settings, the NCPA.CPL > Internet Protocol Properties dialog froze and would not respond.

I tried a bunch of things to fix it like repair and disable. Before doing a reboot, I decided to see if the LOCAL NIC had the same problem.  I typed in some random characters, 19.169 and clicked apply. It didn't freeze so I rebooted the machine and the rest is history. It was a two second test on a machine that was going to be rebuilt for other purposes in two days, so my inattention was understandable.

We all do stupid things from time to time, and I guess I was due for one.
Hello

but so far he is resisting my requests for an English language Forum/Help Page.

Here's the english page ;)
http://www.geekstogo.com/forum/files/file/413-roguekiller/
I downloaded and ran scan with the correct rogue killer and it produced a short report (20 lines)

Even it's too late, do you still have the report?
I'll explain the lines if you need
I do not have the old report, but if I remember correctly, it was entirely English, and easily understood.

The English vs French confusion came only during the download from the website.  It is good that there is now an English page.

No need for futher action but thanks anyhow.
Hey Tigzy - thanks for checking in.
Good to see you posting here.