Announcement

Collapse
No announcement yet.

SBS 2011 calling domain name repeatedly on different ports

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SBS 2011 calling domain name repeatedly on different ports

    G'day team
    we're having a very strange problem occur on our network and it's a bug that is killing our network.
    we're hosting our website externally, but for some reason, our SBS2011 box is making several calls (every two minutes) to this domain name. The server host is receiving two errors. They are:

    2012-07-20 02:55:06 dovecot_login authenticator failed for XXX-XX-YYY-ZZ.static.isp.com.au (SERVER1.domain.local) [219.90.192.48]:13283: 535 Incorrect authentication data

    and

    [Fri Jul 20 07:52:46 2012] [error] [client 219.90.192.48] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((??:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "38"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "host.domain.com.au"] [uri "/"] [unique_id "UAiBrm7ocugAAAhsaIsAAAAC"]

    now, I've been running countless logs trying to work out the problem. It seems that there is a call made to a port one minute, and then the port number changes. for example, the first error has port 13283. The next had 13284 and so on. It's like something is trying to sniff its way out of the network.
    I thought it may have been LDAP to start with, but the source ports also keep changing.
    If it was LDAP, why would it try to call our domain name anyway?
    Can someone point me in the right direction? perhaps a configuration setting is out there?
    Cheers
    Matt

  • #2
    Re: SBS 2011 calling domain name repeatedly on different ports

    oh, here's one - could this be related to spam?
    if a spam email comes in (or if someone trys to relay off our server) would the SBS box try to make an outward call if it failed to authenticate?

    Comment


    • #3
      Re: SBS 2011 calling domain name repeatedly on different ports

      and one other thing. we used to host our own website. We then redirected DNS on our ISP's servers to our host's server.
      perhaps something on the SBS box is trying to call out to the old address?

      Comment


      • #4
        Re: SBS 2011 calling domain name repeatedly on different ports

        the frist part - dovecot/imap - suggests that something is polling the imap/pop3 server.
        Are you using a pop3 connector ?


        With the data logging you're alreaedy doing, you can see which port it's using, obviously it changes for every call.
        Can you see this in real time ?( ie, wireshark perhaps?)

        If so, try running netstat -nao | find /i "port" at the same time
        Code:
        C:\Users\andrew>netstat -nao | find /i "55852"
          TCP    192.168.87.38:55852    167.216.129.11:443     ESTABLISHED     6064
        on the far right, you see process ID (in this case, 6064)
        a bit more judicious command line jigger-pokery

        Code:
        C:\Users\andrew>tasklist /svc | find /i "6064"
        chrome.exe                    6064 N/A
        tells me it's Chrome.
        (Of course.. you could also use taskmgr, but i felt like stickin with cli..)


        on a side note.. is this a situation you have inherited? Is there some sort of line-of-business application running?
        Last edited by tehcamel; 23rd July 2012, 03:38.
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: SBS 2011 calling domain name repeatedly on different ports

          yeh - i've tried that as well and ended up back at square one.
          I was able to resolve that "something" was making calls but couldnt work out what service.

          LDAP appeared to show up several times.

          no POP3 connector configured

          Comment


          • #6
            Re: SBS 2011 calling domain name repeatedly on different ports

            found the problem
            Backup Exec was running and failing. It tried sending emails to the old IP address.
            solved

            Comment


            • #7
              Re: SBS 2011 calling domain name repeatedly on different ports

              Thanks for posting back the fix
              TIA

              Steven Teiger [SBS-MVP(2003-2009)]
              http://www.wintra.co.il/
              sigpic
              Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

              We donít stop playing because we grow old, we grow old because we stop playing.

              Comment

              Working...
              X