Announcement

Collapse
No announcement yet.

Multiple Logs from same IP

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multiple Logs from same IP

    Hello,

    We have av Exch 2010 server (all exch roles in the same server).
    All users are connecting via Outlook 2010 (no OWA, no ISA server).
    During the last weeks, the IIS log is getting huge because of rpc weired lines (all coming from the very same workstation internal IP address).

    Can it be a simple technical problem ? Maybe an attack ?

    What do you think about it ?
    How can I debug the issue ?

    Thank you for helping

    Code:
    2012-08-12 00:19:54 192.168.0.2 RPC_OUT_DATA /rpc/rpcproxy.dll exch.domain.local:6002 443 - 192.168.0.75 MSRPC 401 1 64 1
    2012-08-12 00:19:54 192.168.0.2 RPC_IN_DATA /rpc/rpcproxy.dll exch.domain.local:6002 443 - 192.168.0.75 MSRPC 401 1 2148074254 2
    2012-08-12 00:19:54 192.168.0.2 RPC_OUT_DATA /rpc/rpcproxy.dll exch.domain.local:6002 443 - 192.168.0.75 MSRPC 401 1 2148074254 1
    2012-08-12 00:19:54 192.168.0.2 RPC_IN_DATA /rpc/rpcproxy.dll exch.domain.local:6002 443 - 192.168.0.75 MSRPC 401 1 2148074252 13
    2012-08-12 00:19:54 192.168.0.2 RPC_OUT_DATA /rpc/rpcproxy.dll exch.domain.local:6002 443 - 192.168.0.75 MSRPC 401 1 64 2
    2012-08-12 00:19:54 192.168.0.2 RPC_IN_DATA /rpc/rpcproxy.dll exch.domain.local:6002 443 - 192.168.0.75 MSRPC 401 1 2148074254 2
    2012-08-12 00:19:54 192.168.0.2 RPC_OUT_DATA /rpc/rpcproxy.dll exch.domain.local:6002 443 - 192.168.0.75 MSRPC 401 1 2148074254 2
    2012-08-12 00:19:54 192.168.0.2 RPC_IN_DATA /rpc/rpcproxy.dll exch.domain.local:6002 443 - 192.168.0.75 MSRPC 401 1 2148074252 16
    2012-08-12 00:19:54 192.168.0.2 RPC_OUT_DATA /rpc/rpcproxy.dll exch.domain.local:6002 443 - 192.168.0.75 MSRPC 401 1 64 3
    Last edited by hasdou; 13th August 2012, 16:45.

  • #2
    Re: Multiple Logs from same IP

    What is wrong with that?
    That is the Outlook Anywhere feature. You mway want to look at the workstation to see if it is using HTTPS to connect rather than TCP, but I don't see that as an attack at all.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Multiple Logs from same IP

      Thanks for the reply.
      The strange thing is I got about 5 Gb of logs in two weeks, all coming from the same IP.
      What do you suggest to check on the client side ?

      Comment


      • #4
        Re: Multiple Logs from same IP

        I believe you were given some pointers in your question on Technet.
        Check if the client is connecting on HTTPS, or just trash the Outlook profile and recreate.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: Multiple Logs from same IP

          Did not help, my log files are still growing insanely
          Any other idea ?

          Comment


          • #6
            Re: Multiple Logs from same IP

            Random guess: A search tool (or other plugin) on the machine maybe, indexing?
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: Multiple Logs from same IP

              Please check the Outlook anywhere settings,

              Please make sure that "On fast network" and "On Slow Network" settings are ticked.


              Regards
              Technical Director
              www.tecguruz.com
              Ex-Microsoft (Exchange Client & Server Infrastructure Team), MCSA, MCSE, MCITP, MCTS & ITIL Foundation certified

              Comment


              • #8
                Re: Multiple Logs from same IP

                Originally posted by jedi001 View Post
                Please check the Outlook anywhere settings,

                Please make sure that "On fast network" and "On Slow Network" settings are ticked.


                Regards
                And if Autodiscover is working correctly, those will be changed next time the client runs autodiscover.

                To the OP...
                Posting "Did not help, my log files are still growing insanely" doesn't help - what didn't help? Have you checked whether the client is connecting via HTTP or not?

                Simon.
                --
                Simon Butler
                Exchange MVP

                Blog: http://blog.sembee.co.uk/
                More Exchange Content: http://exchange.sembee.info/
                Exchange Resources List: http://exbpa.com/
                In the UK? Hire me: http://www.sembee.co.uk/

                Sembee is a registered trademark, used here with permission.

                Comment


                • #9
                  Re: Multiple Logs from same IP

                  Actually, re-create a new Outlook profile solved the problem.
                  No more huge logs.
                  Thank you all for helping.

                  Comment

                  Working...
                  X