Re: Exchange 2000/2003 Broadcasting to 192.x and 172.x hosts
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 05/12/04
- Next message: SMS Admin \(Real Name David Manor\): "Re: Ms04-011 Sasser Patch Does not install"
- Previous message: Joe: "Exchange 2000/2003 Broadcasting to 192.x and 172.x hosts"
- In reply to: Joe: "Exchange 2000/2003 Broadcasting to 192.x and 172.x hosts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 12 May 2004 15:19:02 -0400
What info is in the packets? What ports are they directed to?
I would be focusing on worm/virus or poorly configured application software.
joe
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net Joe wrote: > The network team at my company are beginning up huge amounts of UDP traffic from 2 MS Exchange back-end servers to random hosts [192.x.x.x and 172.x.x.x.] using random high-range ports. The issue was first detected on an HP DL380 G2 with network teaming configured [HP team mode set to fault-tolerant and both NICs speed set to 100MB/FULL]. > > Specs hw/os/exchange on both servers are as follows: > > Server1 > OS: Windows 2000 Advanced Server SP4 > Exchange: MS Exchange 2000 Enterprise > Anti-Virus: McAfee VirusScan 7.1 with ePO Orchestrator Client, Antigen for Exchange 7.1 > IDS: Agents from http://www.iss.net > > Server2: > OS: Windows Server 2003 Standard > Exchange: MS Exchange 2003 Enterprise > Anti-Virus: McAfee VirusScan 7.1 with ePO Orchestrator Client, Antigen for Exchange 7.5 SR1 > IDS: Agents from http://www.iss.net > > The issue was first detected on SERVER1 at which time the following actions were taken: > * Windows Update to verify that all critical patches have been installed > * Installed MS PortReporter service to try to identify process initiating broadcast > * Used ProcessExplorer and TCPView from http://www.sysinternals.com to try and identify guilty processes > * Verified that virus scanners were all up to date > * Disabled IDS agents and all unnecessary services > * Followed security tips to check if we had a rootKit vulnerability [http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html] > > After the above we still see huge amounts of UDP packets dropped from the firewall. Done using a network sniffer to capture traffic from the ports on the switch that SERVER1 is connected to to validate that packets were from a spoofed address on the same network segment. MAC address in payload corressponds to MAC address of the HP Network Team card > > A decision was made to migrate all user mailboxes to a newly commissioned server [same hardware spec], SERVER2 and then rebuild SERVER1 to Win2003/Exch2003 to resolve issue. But before migration we run network sniff on SERVER2 and we have the same issue on SERVER2 as well!!!! > > The LAN/WAN IP Addressing scheme does not use the 192.x.x.x or 172.x.x.x subnets anywhere [not in DHCP, RRAS, etc.]. > > Any ideas?????
- Next message: SMS Admin \(Real Name David Manor\): "Re: Ms04-011 Sasser Patch Does not install"
- Previous message: Joe: "Exchange 2000/2003 Broadcasting to 192.x and 172.x hosts"
- In reply to: Joe: "Exchange 2000/2003 Broadcasting to 192.x and 172.x hosts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
