Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Server accessing strange IP addresses/sites?

  • Please log in to reply
1 reply to this topic

#1 cjt20one


  • Members
  • 1 posts
  • Local time:01:57 PM

Posted 29 April 2010 - 12:48 PM

Hi all, not sure if I should put this in here or in the security forums. Please move it if needed.

This may be much ado about nothing, so hopefully I'm not wasting people's time here.

I'm trying to clean up a network for a friend's business. They have a Dell server running Exchange 2003 and five workstations. They had all kinds of issues and their Exchange Server was set up in a horribly insecure way, they had way too many open ports, completely unencrypted wifi access point and had 1-letter passwords for all user accounts. Their server was hacked into and being used as a relay for a spammer, chewing up almost all their bandwidth. Yeah, not exactly a shining star of security.

Anyway, I cleaned all of that stuff up but when looking at their router now (Kentrox Q2300) they have some log records of TCP/UDP events that I'm unsure of. They still have consistent bandwidth usage throughout the night (no backups or anything are running overnight), roughly 50k up and then spikes of received traffic of about 600k every four hours.

Here's a copy of the two most frequent IP address I'm questioning.

Start session:TCP, SRC=(Private Server IP Address), DST=
Start session:UDP, SRC=(Private Server IP Address), DST=

So the server is having some contact with these address and I'm trying to figure out what they and why they are being accessed. These are recurring hundreds of times throughout the day, basically constant, and I have no idea what they are. They're not email or users accessing websites from what I can tell.

I did a WHOIS on both addresses, the first is in Moscow and the 2nd is an AT&T server in Texas. They have AT&T DSL so I'm not sure if that's what the Texas as address related to. The Moscow one has me concerned though, though it's using Port 25 so it must be email in some format, correct? No one in my friend's business emails anyone in Russia btw. Here's the WHOIS info...

netname: NotPalata
descr: Moscow Oblastnaya Notarialnaya Palata
country: RU
admin-c: CTN-RIPE
tech-c: CTN-RIPE
source: RIPE # Filtered

role: COMSTAR Telecommunications NOC
address: COMSTAR United Telesystems
address: Smolenskaya-Sennaya Sq., 27, build.2
address: 119121 M

Is this spam, hacking, etc? Something I should just ignore? Any help is appreciated.

Edited by cjt20one, 29 April 2010 - 12:52 PM.

BC AdBot (Login to Remove)


#2 CaveDweller2


  • Members
  • 2,629 posts
  • Gender:Male
  • Local time:01:57 PM

Posted 29 April 2010 - 06:55 PM

srvmail.satro.ru [] = last entry of a tracert. That is a mail server in Russia. I'd be concerned, its a TCP connection meaning its back and forth. I'd block that entire subnet. I'd get a packet sniffer and capture some of those packets, see what it is.

dnsr1.sbcglobal.net [] = last entry of a tracert. Seems to be just a normal type "I'm here" packet sent to their ISP. If they have SBC. It's UDP so it's just 1 way.

Hope this helps thumbup.gif

Associate in Applied Science - Network Systems Management - Trident Technical College

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users