outbound smtp connection attempt - source port shivadiscovery (tcp/1502)
Posted on 2013-06-05
We have several PC's that are unable to establish any outbound connection to a particular domain name or the IP address of a server used by the domain. For example, we are not able to access the website of domain.com, cannot telnet to mail.domain.com or the IP of mail.domain.com. We are able to telnet to other smtp servers without issue.
There is also a separate internal network (on a different interface) that utilizes the same internet gateway. Devices on the second network are able to connect just fine.
Here is the capture of when a connection attempt is made from network 1:
1327 4.849653000 192.168.1.59 YYY.YYY.YYY.YYY TCP shivadiscovery > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1
Here is the capture of when a connection attempt is made from network 2:
114 2.967202 192.168.10.21 YYY.YYY.YYY.YYY TCP 52592 > smtp [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8 SACK_PERM=1
117 3.016186 YYY.YYY.YYY.YYY 192.168.10.21 TCP smtp > 52592 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1 WS=7
[Where YYY.YYY.YYY.YYY is a public IP address]
Clearly the difference is the outbound port that the TCP connection attempt is made. Does shivadiscovery indicate that we have some type of malware on these devices?
In limited troubleshooting the only other thing that seemed unusual was the routing table, the metric of what should be the default route was higher than some of the other routing table entries.