I have a server that appears to be randomly sending out traffic over port 25. To the best of my knowledge this server should not be sending out any traffic over port 25. I have checked with the application vendor and they have confirmed that their software does not use port 25. This server does run IIS and SQL. I don't see any configurations in IIS for SMTP or SMTP relay. I am concerned that there may be malicious activity going on.
I have run wireshark on that server and have verified that the traffic is coming from that server. Each time the event is logged there are only about 3 lines that appear in wireshark. (outbound 25 blocked on edge firewall. Used wireshark to verify traffic originating from the server)
I have run several TCP monitoring applications but the traffic is happening so quick that they don't show what application is opening the port.
The local windows firewall is not running but an edge firewall is running. That is how I see the traffic occurring. I am blocking port 25 from that server on the edge firewall.
I will have to coordinate with the users to be able to turn on the windows firewall as to not interrupt legit traffic.
The destination is 188.8.131.52 and that resolves back to server302.com.
Whois information on server302 indicates that the administrator is in Bulgaria, but that might be the enom.com administrator
Whois information on the IP points to Savvis / SureSupport LLC
Geolocation data puts the location at Walthan, Massachusetts
The IP address appears to be a DNS server - ns1.server302.com
SureSupport appears to be a hosting provider where server302.com is hosted.
Why would an application be sending port 25 traffic to a name server?
Any ideas on how to find out what application is opening port 25 of this server?
Take a look at the Windows Sysinternals tools. There might be something you can download and run on that server to look at suspicious processes like Sysmon and Process Explorer.
Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat. The purpose of this eBook is to educate the reader about ransomware attacks.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy -
With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number.
You'll receive secure faxes in your email, f…