Domain controller anomalous connection to remote Redplaid SMTP server

-

we've been battling bandwidth issues @ company lately , we've done extensive scouring of our cisco asa logs try , find source(s) of problem. on weekend ran little gem:

2014-03-22 12:14:13        local4.warning 10.100.20.1 %asa-4-106023: deny tcp src lan1:10.100.20.74/49353 dst hsinternet:209.134.48.10/25 access-group "lan1_access_in" [0xb0069b3c, 0x0]

this entry in our firewall's syslog shows 1 of domain controllers (10.100.20.74 in example) attempting, unsuccessfully, connect outside smtp server @ address 209.134.48.10 on port 25 (we closed type of connection on our network, previous connections may have been successful). we have no software installed making smtp connections anywhere, , i've scanned machine thoroughly looking malware or viruses or rootkits. machine ad domain services, dhcp, , dns. has no third party software installed, , never has.

the ip 209.134.48.10 has reverse dns entry of df7yjcp1.redplaid.com, , hooked using telnet confirm indeed smtp server. redplaid seems hosting company based out of missouri, beyond have no additional information on company.

does have idea why global catalog making smtp connections seemingly random server on internet?

hi,

when did issue occur , before operations did have?

i suggest recheck domain controllers in domain, and check out whether iis smtp service has been installed. if running windows 2008 based domain controllers, did you set smtp replication, did have exchange installed in environment?

please refer below links:

http://support.microsoft.com/kb/947057

http://support.gfi.com/manuals/en/msec2011gsg/msec2011gsgmanual.1.13.html

regards,

yan li

 

regards, yan li



Windows Server  >  Security



Comments

Post a Comment

Popular posts from this blog

Group Policy Event ID 1058 Error Code 1326 (The user name or password is incorrect)

-
i seeing odd error on 1 of our domain controllers. have dealt event id 1058 errors whereby policy (or policies) not replicating, receiving error along error code 1326 on server, , apparently happening default domain policy: log name:      system source:        microsoft-windows-grouppolicy date:          8/10/2015 3:09:54 pm event id:      1058 task category: none level:         error keywords:      user:          s-1-5-21-1484152634-2550175353-3916092219-3287 computer:      <dc name>.<domainname> description: processing of group policy failed. windows attempted read file http://schemas.microsoft.com/win/2004/08/events/event ">   <system>     <provi...
Read more

Suspicious event log Event ID: 4905

-
hi thr, could please me understand causing such event logs generate ? as  i understand, vssvc.exe pertains volume shadow copy used backup purpose.  we have third party application used taking backup of servers. the event longs generated following messages: 1) attempt made unregister security event source. 2) attempt made register security event source. these events not regular generated on random days. standard fields: date:               2013/10/19 time:               02:32:19 importance:         critical rule name:          security event monitored machine:  <domain controller> log format:         windows log name:           security event id:           4905 in work hours:      yes dynamic fields: internal timestamp: 2013/10/19 ...
Read more

DCOM received error "2147746132" from...

-
hi everybody, i have dc (my windows essentials 2012 server) , windows 2012 server in network.  the windows server 2012 inside domain. on server, got "non stopping" error says in event logs : ===> dcom received error "2147746132" fromd computer xxxx(my dc computer) while server trying activation : {6df8cb71-153b-4c66-8fc4-e59301b8011b} it never stops, got 11000+ new events :s i found : http://support.microsoft.com/kb/971153/fr i'm not sure should ? does got idea ? matthieu. hi, please try solution mentioned in below link: http://www.eventid.net/display-eventid-10006-source-dcom-eventno-272-phase-1.htm regards, cicely Windows Server  >  Windows Server 2012 General ...
Read more