1 2 3 Previous Next 21 Replies Latest reply on Aug 24, 2015 10:42 AM by Don_Martin

    Port blocking rules - odd log entries

      On one of my Windows 2003 domain controllers, we are having some curious activity showing up in our Access Protection Log. Here is a sample of the entries from today and yesterday:

      2/26/2007 10:44:47 PM Blocked by port blocking rule C:\WINDOWS\System32\dns.exe Anti-virus Standard Protection:Prevent IRC communication <mail server ip>:6666
      2/27/2007 3:21:28 AM Blocked by port blocking rule C:\WINDOWS\System32\dns.exe Anti-virus Standard Protection:Prevent IRC communication <mail server ip>:6666
      2/27/2007 5:06:08 AM Blocked by port blocking rule C:\WINDOWS\System32\dns.exe Anti-virus Standard Protection:Prevent IRC communication <mail server ip>:6667
      2/27/2007 6:47:54 AM Blocked by port blocking rule C:\WINDOWS\System32\dns.exe Anti-virus Standard Protection:Prevent IRC communication <mail server ip>:6666
      2/27/2007 8:30:26 AM Blocked by port blocking rule C:\WINDOWS\system32\lsass.exe Anti-virus Standard Protection:Prevent IRC communication <mail server ip>:6666
      2/27/2007 9:58:26 AM Blocked by port blocking rule C:\WINDOWS\System32\dns.exe Anti-virus Standard Protection:Prevent IRC communication <mail server ip>:6666
      2/27/2007 12:08:53 PM Blocked by port blocking rule C:\WINDOWS\System32\dns.exe Anti-virus Standard Protection:Prevent IRC communication <mail server ip>:6668

      More often than not, VirusScan blocks attempts by dns.exe to connect to the mail server, but as you can see here, once in a while it will block an attempt by lsass.exe. From paging back through the logs, it appears that these connection attempts are exclusively directed at our mail server, on ports 6666-6669. Our mail server is MDaemon, so whatever it is has nothing to do with the usual AD-centric traffic you'd expect to see with an Exchange server.

      Despite a significant amount of reading and Googling, I am unaware of any legitimate reason for either DNS or LSASS to attempt to communicate to another box via IRC.

      I have run manual virus scans with the latest updates, and have found nothing. I have also run the Sysinternals Rootkit Revealer and manually scanned the system using Microsoft's monthly malware removal tool, and likewise have turned up nothing suspicious with those. I have enabled detailed logging on the DNS server on this DC, filtered to show traffic to and from the mail server's IP, and nothing is logged at or around the times when the blocked connection attempts show up in the Access Protection Log.

      At this point, I'm stumped. I'm hoping someone on these boards has seen this before and can provide an explanation. I should mention that aside from these log entries, the mail server and the DC are behaving exactly as they should be. It may very well be nothing, but the fact that two services appear to be using a communication mechanism that they are not known for using is pushing my paranoid button.

      If it helps, we are running VirusScan Enterprise 8.5i, managed via ePO 3.6.1, and all the servers are fully patched. A few weeks ago, all the DCs in the domain were upgraded to Win2K3 R2; the messages were logged both before and after the upgrade.

      Thanks in advance for any explanations or leads someone might be able to offer.
        1 2 3 Previous Next