Solved

Find application using port 25 on server 2008R2

Posted on 2016-09-26
5
52 Views
Last Modified: 2016-09-27
I have a server that appears to be randomly sending out traffic over port 25.  To the best of my knowledge this server should not be sending out any traffic over port 25. I have checked with the application vendor and they have confirmed that their software does not use port 25.  This server does run IIS and SQL.  I don't see any configurations in IIS for SMTP or SMTP relay.  I am concerned that there may be malicious activity going on.

I have run wireshark on that server and have verified that the traffic is coming from that server. Each time the event is logged there are only about 3 lines that appear in wireshark. (outbound 25 blocked on edge firewall. Used wireshark to verify traffic originating from the server)

I have run several TCP monitoring applications but the traffic is happening so quick that they don't show what application is opening the port.
The local windows firewall is not running but an edge firewall is running. That is how I see the traffic occurring. I am blocking port 25 from that server on the edge firewall.

I will have to coordinate with the users to be able to turn on the windows firewall as to not interrupt legit traffic.

The destination is 216.35.196.35 and that resolves back to server302.com.  
Whois information on server302 indicates that the administrator is in Bulgaria, but that might be the enom.com administrator
Whois information on the IP points to Savvis / SureSupport LLC
Geolocation data puts the location at Walthan, Massachusetts
The IP address appears to be a DNS server - ns1.server302.com
SureSupport appears to be a hosting provider where server302.com is hosted.

Why would an application be sending port 25 traffic to a name server?
Any ideas on how to find out what application is opening port 25 of this server?
0
Comment
Question by:jpgillivan
  • 2
  • 2
5 Comments
 
LVL 14

Accepted Solution

by:
Todd Nelson earned 500 total points
ID: 41816930
Take a look at the Windows Sysinternals tools.  There might be something you can download and run on that server to look at suspicious processes like Sysmon and Process Explorer.

https://technet.microsoft.com/en-us/sysinternals

Anything look out of the ordinary in Programs and Features?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 41817880
agree with todd nelson.  sysinternals has a tool called tcpview that can help in such cases.  it's been years since I've been on windows so I can't remember precisely all options, but you should be able to filter results so even though things happen fast, as you say, you should hopefully be able to see what is going on.

if that doesn't work, the only other solution i can think of is writing a small batch file that will call netstat (just dump everything so you're sure you don't miss something) as well as the tasklist command output.  then do an infinite loop running that as it dumps the output to a file.  then watch wireshark to see when the traffic happens again.  once it does you can kill the batch loop, scour the logs for the pid.  this will most likely produce an absolute ton of output though so I'd only do it if tcpview or other sysinternal tools can't help
0
 

Author Closing Comment

by:jpgillivan
ID: 41818317
I tried TCPView but that did not work as the socket open time was too short.  

I was finally able to get the offending program information using ProcessMonitor.  Then I used the "network summary" in the tools menu, found the entry with the url, double clicking on it automatically applied a filter to the output.  Then I was able to see the application and PID.  

Thanks.
2
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 41818343
@jpgillivan

just want to give you kudos for giving such a great and comprehensive closing comment so that people who look at this question will know precisely what to do.  awesome job!
0
 

Author Comment

by:jpgillivan
ID: 41818350
Thanks.  I hate it when an original poster simply says that they fixed it or found the issue.
1

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now