This may be much ado about nothing, so hopefully I'm not wasting people's time here.
I'm trying to clean up a network for a friend's business. They have a Dell server running Exchange 2003 and five workstations. They had all kinds of issues and their Exchange Server was set up in a horribly insecure way, they had way too many open ports, completely unencrypted wifi access point and had 1-letter passwords for all user accounts. Their server was hacked into and being used as a relay for a spammer, chewing up almost all their bandwidth. Yeah, not exactly a shining star of security.
Anyway, I cleaned all of that stuff up but when looking at their router now (Kentrox Q2300) they have some log records of TCP/UDP events that I'm unsure of. They still have consistent bandwidth usage throughout the night (no backups or anything are running overnight), roughly 50k up and then spikes of received traffic of about 600k every four hours.
Here's a copy of the two most frequent IP address I'm questioning.
Start session:TCP, SRC=(Private Server IP Address), DST=18.104.22.168:25
Start session:UDP, SRC=(Private Server IP Address), DST=22.214.171.124
So the server is having some contact with these address and I'm trying to figure out what they and why they are being accessed. These are recurring hundreds of times throughout the day, basically constant, and I have no idea what they are. They're not email or users accessing websites from what I can tell.
I did a WHOIS on both addresses, the first is in Moscow and the 2nd is an AT&T server in Texas. They have AT&T DSL so I'm not sure if that's what the Texas as address related to. The Moscow one has me concerned though, though it's using Port 25 so it must be email in some format, correct? No one in my friend's business emails anyone in Russia btw. Here's the WHOIS info...
descr: Moscow Oblastnaya Notarialnaya Palata
status: ASSIGNED PA
source: RIPE # Filtered
role: COMSTAR Telecommunications NOC
address: COMSTAR United Telesystems
address: Smolenskaya-Sennaya Sq., 27, build.2
address: 119121 M
Is this spam, hacking, etc? Something I should just ignore? Any help is appreciated.
Edited by cjt20one, 29 April 2010 - 12:52 PM.