Re: Exchange & IIS Services crash with 7031/7034 Errors


arrowtech.clayton.lee@xxxxxxxxx wrote:

<SNIP>

Further Details

On my server that is SBS, I just got a crash at 00:36:28

The firewall and 2K3 server have their clocks synchronised, so it is
easier to pull together the logs on that one (I am having a separate
issue getting access to my firewall to adjust the time for a 3 minute
drift and daylight savings on the other site)

Here is how it went down:

Event log - 7031(IIS)/7034(NNTP)/7034(MS Exchange Routing
Engine)/7034(SMTP) all fall over at 00:36:28

Firewall - SMTP incoming traffic:

00:36:23 FROM 200.119.210.170 (Unresolvable)
00:36:24 FROM 160.83.65.200 (Unresolvable)
00:36:29 FROM 203.94.218.69 (dialup-mum-203.94.218.69.mtnl.net.in)
00:36:31 FROM 203.94.218.69 (dialup-mum-203.94.218.69.mtnl.net.in)
00:36:37 FROM 203.94.218.69 (dialup-mum-203.94.218.69.mtnl.net.in)
00:36:38 FROM 203.94.218.69 (dialup-mum-203.94.218.69.mtnl.net.in)
00:37:58 FROM 64.237.216.98 (adsl-64-237-216-98.prtc.net)

SMTP Logs (we are +11hr on GMT here)

2006-12-04 13:36:01 129.41.76.38 mail2038.rm02.net SMTPSVC1
SERVERNAMECHANGED 192.168.X.X 0 BDAT -
+<26609938.1165239336328.JavaMail.root@xxxxxxxxxx> 250 0 129 86408
20750 SMTP - - - -
2006-12-04 13:36:01 129.41.76.38 mail2038.rm02.net SMTPSVC1
SERVERNAMECHANGED 192.168.X.X 0 QUIT - mail2038.rm02.net 240 23734 69 4
0 SMTP - - - -
2006-12-04 13:36:05 61.129.51.171 OutboundConnectionResponse SMTPSVC1
SERVERNAMECHANGED - 25 - -
220+ESMTP+on+WinWebMail+[3.7.3.1]+ready.++http://www.winwebmail.com 0 0
67 0 188 SMTP - - - -
2006-12-04 13:36:05 61.129.51.171 OutboundConnectionCommand SMTPSVC1
SERVERNAMECHANGED - 25 EHLO - domainchanged.com.au 0 0 4 0 203 SMTP - -
- -
2006-12-04 13:36:05 61.129.51.171 OutboundConnectionResponse SMTPSVC1
SERVERNAMECHANGED - 25 - - 250-SIZE 0 0 8 0 391 SMTP - - - -
2006-12-04 13:36:05 61.129.51.171 OutboundConnectionResponse SMTPSVC1
SERVERNAMECHANGED - 25 - - 250+AUTH+LOGIN 0 0 14 0 703 SMTP - - - -
2006-12-04 13:36:05 61.129.51.171 OutboundConnectionCommand SMTPSVC1
SERVERNAMECHANGED - 25 MAIL - FROM:<> 0 0 4 0 703 SMTP - - - -
2006-12-04 13:36:05 61.129.51.171 OutboundConnectionResponse SMTPSVC1
SERVERNAMECHANGED - 25 - - 250+OK 0 0 6 0 906 SMTP - - - -
2006-12-04 13:36:05 61.129.51.171 OutboundConnectionCommand SMTPSVC1
SERVERNAMECHANGED - 25 RCPT - TO:<xxx@xxxxxxx> 0 0 4 0 906 SMTP - - - -
2006-12-04 13:36:05 61.129.51.171 OutboundConnectionResponse SMTPSVC1
SERVERNAMECHANGED - 25 - - 250+OK,+recipient+accepted 0 0 26 0 1094
SMTP - - - -
2006-12-04 13:36:05 61.129.51.171 OutboundConnectionCommand SMTPSVC1
SERVERNAMECHANGED - 25 DATA - - 0 0 4 0 1094 SMTP - - - -
2006-12-04 13:36:06 61.129.51.171 OutboundConnectionResponse SMTPSVC1
SERVERNAMECHANGED - 25 - -
354+Send+checkpointed+message,+ending+in+CRLF.CRLF 0 0 50 0 1297 SMTP -
- - -
2006-12-04 13:36:26 200.119.210.170 plwrag SMTPSVC1 SERVERNAMECHANGED
192.168.X.X 0 HELO - +plwrag 250 0 50 11 0 SMTP - - - -
2006-12-04 13:36:26 160.83.65.200 imr8.us.db.com SMTPSVC1
SERVERNAMECHANGED 192.168.X.X 0 EHLO - +imr8.us.db.com 250 0 313 19 0
SMTP - - - -
2006-12-04 13:36:26 160.83.65.200 imr8.us.db.com SMTPSVC1
SERVERNAMECHANGED 192.168.X.X 0 MAIL - +From:<xxxxx@xxxxxxxx> 250 0 45
52 0 SMTP - - - -
2006-12-04 13:36:26 160.83.65.200 imr8.us.db.com SMTPSVC1
SERVERNAMECHANGED 192.168.X.X 0 RCPT - +To:<xxxxx@xxxxxxxxx> 250 0 39
36 0 SMTP - - - -
2006-12-04 13:36:27 200.119.210.170 plwrag SMTPSVC1 SERVERNAMECHANGED
192.168.X.X 0 MAIL - +FROM:+<xxx@xxxxxxx> 250 0 43 31 0 SMTP - - - -
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2006-12-04 13:36:34

It feels to me like it is the 160.83.65.200 that is the source of the
problem, the other crashes have very similar charateristics - an
EHLO/MAIL/RCPT/Crash as if it starts to send the DATA and that is where
everything goes wrong.

Stay tuned for further details at 11.00 :-)

.

Relevant Pages

  • Re: CEICW fails at firewall config
    ... Do you or do you not have ISA 2000 or ISA 2004 installed on the SBS server? ... Do you have 2 NICs in the SBS? ... CEICW fails on firewall configuration every time. ... >>> Call to Creating the protected networks access rule returned ok. ...
    (microsoft.public.windows.server.sbs)
  • Re: Recycler security issues on IIS server
    ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ...
    (microsoft.public.inetserver.iis.security)
  • Re: ISA SERVER NOT STARTING
    ... I delete the nat/basic firewall and stop and started the RRAS an tried to ... There were no critical events in the DNS Server Log in the last 24 hours. ... An error occurred during logon ... Caller User Name: - ...
    (microsoft.public.windows.server.sbs)
  • Re: For Microsoft Partners and Customers Who Cant Download or Access
    ... to reconfigure the firewall, but to use a static IP on your client ... and to make sure that the DNS server entries on the client are ... Microsoft for msdn2.microsoft.com. ... use a static IP and set the DNS server addresses to the DNS ...
    (microsoft.public.dotnet.general)
  • RE: Is this as bad as it seems?
    ... The network being protected by the router or firewall is still vulnerable to ... > circumvented - the administrator has explicitly allowed HTTP traffic on ... this exploit has the effect of allowing the attacker to send *INBOUND* HTTP ... The HTTP server (located on the internal network or anywhere else that is ...
    (Security-Basics)
Loading