Truly Bizarre outbound traffic when I have open TS connection to DNS server
wsmith_at_wbur.bu.edu
Date: 05/27/04
- Next message: Kevin D. Goodknecht [MVP]: "Re: Truly Bizarre outbound traffic when I have open TS connection to DNS server"
- Previous message: sammy: "Re: zone name"
- Next in thread: Kevin D. Goodknecht [MVP]: "Re: Truly Bizarre outbound traffic when I have open TS connection to DNS server"
- Reply: Kevin D. Goodknecht [MVP]: "Re: Truly Bizarre outbound traffic when I have open TS connection to DNS server"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 27 May 2004 22:02:12 GMT
The problem is that I am seeing strange outbound TCP traffic being denied by
my firewall (Watchguard Firebox 1000). The outbound traffic originates from
my DC which is also my DNS server and database machine.
Here's my setup: I am running windows 2003 on 3 machines for a public
website. One of these machines is the DC/DB/DNS server and the other 2 are
application servers (basic website stuff)
Here's a description of the "suspicous outbound traffic": The outbound
connections originate from my DC's DMZ LAN (192.168.10.30). The originating
port increments by one for each attempt and generally ranges from 10000 to
60000. The destination port is 3389 (terminal services). The destination
IP is 218.94.68.62 (some server in china).
A typical firewall log entry looks like this:
05/27/04 17:47 firewalld[155]: deny out eth1 48 tcp 20 128 192.168.10.30
218.94.68.62 19287 3389 syn (Terminal-Services)
so you can see my DC using port 19287 trying to connect to
218.94.68.62:3389. This is being denied by my Firewall.
A slammer worm infection right? Nope. Why do I think this? Well, this
behavior ONLY happens when i have a Terminal Services connection to the DC
server. When I close that connection, Poof!, no more log entries.
Also, This happens no matter what machine I connect from. I have tried
connecting from 2 different office machines and 2 machines at my home.
I have also ruled out an infection on the Terminal Services Client, so I
reinstalled Windows Xp on my test machine at home, patched it all up etc,
and connect to my DC over terminal services. The log entries appeared
immediately. Lastly, ive run adaware/spybot and many antivirus programs on
both the server and client to rule out a virus.
Other points:
1. The destination IP is always the same: 218.94.68.62.
2. There are no viruses/trojans/worms etc in the mix here
3. I ran TCPView and discovered that the process creating the outbound
request is explorer.exe. Here is the TCPView record:
explorer.exe:3568 TCP my.domain.com:19405 218.94.68.62:3389 SYN_SEN
4. I have tried doing a reverse lookup on this ip to get a domain name but
can't find one
5. I have searched my registy/hard drive on both client and server for this
IP and its not there
6. I have perused the DNS settings for this IP and it does not exist (I
thought maybe at first it was a blackhole dns server like prisoner.iana.org
or something)
The reason im sure this is a DNS issue is that 1) the requests originate
from my DNS server and 2) im pretty sure that its not setup correctly.
So, sorry for the long winded post, but can any DNS/DC gurus shed some light
here? I am a new sysadmin and would like an explanation for this. Thanks
in advance.
William
- Next message: Kevin D. Goodknecht [MVP]: "Re: Truly Bizarre outbound traffic when I have open TS connection to DNS server"
- Previous message: sammy: "Re: zone name"
- Next in thread: Kevin D. Goodknecht [MVP]: "Re: Truly Bizarre outbound traffic when I have open TS connection to DNS server"
- Reply: Kevin D. Goodknecht [MVP]: "Re: Truly Bizarre outbound traffic when I have open TS connection to DNS server"
- Messages sorted by: [ date ] [ thread ]
