EMSX Blocked Exchange Outbound connections

FTL · November 1, 2022

EMSX has blocked some outbound connections from our Exch server

<?xml version="1.0" encoding="utf-8" ?>
<ESET>
<LOG>
    <RECORD>
      <COLUMN NAME="Time">06/10/2022 14:54:27</COLUMN>
      <COLUMN NAME="Event">Security vulnerability exploitation attempt</COLUMN>
      <COLUMN NAME="Action">Blocked</COLUMN>
      <COLUMN NAME="Source">192.168.1.5:25</COLUMN>
      <COLUMN NAME="Target">76.184.134.117:55806</COLUMN>
      <COLUMN NAME="Protocol">TCP</COLUMN>
      <COLUMN NAME="Rule/worm name">EsetIpBlacklist.B</COLUMN>
      <COLUMN NAME="Application">D:\Exchange Install Dir\Bin\MSExchangeFrontendTransport.exe</COLUMN>
      <COLUMN NAME="Hash">8C10F7C821A250FDB04AFCB491CF74090700107D</COLUMN>
      <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN>
    </RECORD>

    <RECORD>
      <COLUMN NAME="Time">06/10/2022 14:56:10</COLUMN>
      <COLUMN NAME="Event">Security vulnerability exploitation attempt</COLUMN>
      <COLUMN NAME="Action">Blocked</COLUMN>
      <COLUMN NAME="Source">192.168.1.5:587</COLUMN>
      <COLUMN NAME="Target">27.147.181.38:48022</COLUMN>
      <COLUMN NAME="Protocol">TCP</COLUMN>
      <COLUMN NAME="Rule/worm name">EsetIpBlacklist.B</COLUMN>
      <COLUMN NAME="Application">D:\Exchange Install Dir\Bin\MSExchangeFrontendTransport.exe</COLUMN>
      <COLUMN NAME="Hash">8C10F7C821A250FDB04AFCB491CF74090700107D</COLUMN>
      <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN>
    </RECORD>

    <RECORD>
      <COLUMN NAME="Time">09/10/2022 23:21:31</COLUMN>
      <COLUMN NAME="Event">Security vulnerability exploitation attempt</COLUMN>
      <COLUMN NAME="Action">Blocked</COLUMN>
      <COLUMN NAME="Source">192.168.1.5:587</COLUMN>
      <COLUMN NAME="Target">165.22.230.190:61953</COLUMN>
      <COLUMN NAME="Protocol">TCP</COLUMN>
      <COLUMN NAME="Rule/worm name">EsetIpBlacklist.B</COLUMN>
      <COLUMN NAME="Application">D:\Exchange Install Dir\Bin\MSExchangeFrontendTransport.exe</COLUMN>
      <COLUMN NAME="Hash">8C10F7C821A250FDB04AFCB491CF74090700107D</COLUMN>
      <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN>
    </RECORD>

    <RECORD>
      <COLUMN NAME="Time">01/11/2022 08:37:49</COLUMN>
      <COLUMN NAME="Event">Security vulnerability exploitation attempt</COLUMN>
      <COLUMN NAME="Action">Blocked</COLUMN>
      <COLUMN NAME="Source">192.168.1.5:25</COLUMN>
      <COLUMN NAME="Target">204.138.26.219:41471</COLUMN>
      <COLUMN NAME="Protocol">TCP</COLUMN>
      <COLUMN NAME="Rule/worm name">EsetIpBlacklist.B</COLUMN>
      <COLUMN NAME="Application">D:\Exchange Install Dir\Bin\MSExchangeFrontendTransport.exe</COLUMN>
      <COLUMN NAME="Hash">8C10F7C821A250FDB04AFCB491CF74090700107D</COLUMN>
      <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN>
    </RECORD>
</LOG>
</ESET>

Things being blocked outbound naturally raise suspicion, how do i investigate these further please?

Edited November 1, 2022 by FTL

itman · November 1, 2022

Quote

Test result for 76.184.134.117:

This IP IS CURRENTLY LISTED in our Database.
Please note that this listing does NOT mean you are a spammer, it means your mailsystem is either poorly configured or it is using abusive techniques.
This kind of abuse is known as BACKSCATTER (Misdirected Bounces or Misdirected Autoresponders or Sender Callouts). Click the links above to get clue how and why to stop that kind of abuse.

https://www.backscatterer.org/index.php

Edited November 1, 2022 by itman

Marcos · November 1, 2022

The originating IP address 76.184.134.117 is a known source of attacks, it's unlikely to be FP:

https://www.abuseipdb.com/check/76.184.134.117

FTL · November 2, 2022

Ok had 6 more IP's overnight getting blocked

All the listed IP's below seem to be reported on the link from Marcos and comments say brute force attacks

ESET scan not finding anything, MBAM not finding anything.

As they are outbound connections being blocked are we saying that the mail server is compromised and one/more of these brute force attacks has been successful?

    </RECORD>
    <RECORD>
      <COLUMN NAME="Time">01/11/2022 23:56:23</COLUMN>
      <COLUMN NAME="Event">Security vulnerability exploitation attempt</COLUMN>
      <COLUMN NAME="Action">Blocked</COLUMN>
      <COLUMN NAME="Source">192.168.1.5:25</COLUMN>
      <COLUMN NAME="Target">193.251.180.116:50462</COLUMN>
      <COLUMN NAME="Protocol">TCP</COLUMN>
      <COLUMN NAME="Rule/worm name">EsetIpBlacklist.B</COLUMN>
      <COLUMN NAME="Application">D:\Exchange Install Dir\Bin\MSExchangeFrontendTransport.exe</COLUMN>
      <COLUMN NAME="Hash">8C10F7C821A250FDB04AFCB491CF74090700107D</COLUMN>
      <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN>
    </RECORD>

    <RECORD>
      <COLUMN NAME="Time">01/11/2022 23:56:27</COLUMN>
      <COLUMN NAME="Event">Security vulnerability exploitation attempt</COLUMN>
      <COLUMN NAME="Action">Blocked</COLUMN>
      <COLUMN NAME="Source">192.168.1.5:25</COLUMN>
      <COLUMN NAME="Target">189.113.184.5:59338</COLUMN>
      <COLUMN NAME="Protocol">TCP</COLUMN>
      <COLUMN NAME="Rule/worm name">EsetIpBlacklist.B</COLUMN>
      <COLUMN NAME="Application">D:\Exchange Install Dir\Bin\MSExchangeFrontendTransport.exe</COLUMN>
      <COLUMN NAME="Hash">8C10F7C821A250FDB04AFCB491CF74090700107D</COLUMN>
      <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN>
    </RECORD>

    <RECORD>
      <COLUMN NAME="Time">01/11/2022 23:57:04</COLUMN>
      <COLUMN NAME="Event">Security vulnerability exploitation attempt</COLUMN>
      <COLUMN NAME="Action">Blocked</COLUMN>
      <COLUMN NAME="Source">192.168.1.5:25</COLUMN>
      <COLUMN NAME="Target">118.150.80.237:38407</COLUMN>
      <COLUMN NAME="Protocol">TCP</COLUMN>
      <COLUMN NAME="Rule/worm name">EsetIpBlacklist.B</COLUMN>
      <COLUMN NAME="Application">D:\Exchange Install Dir\Bin\MSExchangeFrontendTransport.exe</COLUMN>
      <COLUMN NAME="Hash">8C10F7C821A250FDB04AFCB491CF74090700107D</COLUMN>
      <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN>
    </RECORD>

    <RECORD>
      <COLUMN NAME="Time">02/11/2022 02:26:30</COLUMN>
      <COLUMN NAME="Event">Security vulnerability exploitation attempt</COLUMN>
      <COLUMN NAME="Action">Blocked</COLUMN>
      <COLUMN NAME="Source">192.168.1.5:25</COLUMN>
      <COLUMN NAME="Target">172.81.45.38:50681</COLUMN>
      <COLUMN NAME="Protocol">TCP</COLUMN>
      <COLUMN NAME="Rule/worm name">EsetIpBlacklist.B</COLUMN>
      <COLUMN NAME="Application">D:\Exchange Install Dir\Bin\MSExchangeFrontendTransport.exe</COLUMN>
      <COLUMN NAME="Hash">8C10F7C821A250FDB04AFCB491CF74090700107D</COLUMN>
      <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN>
    </RECORD>

    <RECORD>
      <COLUMN NAME="Time">02/11/2022 02:27:10</COLUMN>
      <COLUMN NAME="Event">Security vulnerability exploitation attempt</COLUMN>
      <COLUMN NAME="Action">Blocked</COLUMN>
      <COLUMN NAME="Source">192.168.1.5:25</COLUMN>
      <COLUMN NAME="Target">117.61.1.194:47785</COLUMN>
      <COLUMN NAME="Protocol">TCP</COLUMN>
      <COLUMN NAME="Rule/worm name">EsetIpBlacklist.B</COLUMN>
      <COLUMN NAME="Application">D:\Exchange Install Dir\Bin\MSExchangeFrontendTransport.exe</COLUMN>
      <COLUMN NAME="Hash">8C10F7C821A250FDB04AFCB491CF74090700107D</COLUMN>
      <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN>
    </RECORD>

    <RECORD>
      <COLUMN NAME="Time">02/11/2022 07:43:07</COLUMN>
      <COLUMN NAME="Event">Security vulnerability exploitation attempt</COLUMN>
      <COLUMN NAME="Action">Blocked</COLUMN>
      <COLUMN NAME="Source">192.168.1.5:25</COLUMN>
      <COLUMN NAME="Target">202.165.193.166:38604</COLUMN>
      <COLUMN NAME="Protocol">TCP</COLUMN>
      <COLUMN NAME="Rule/worm name">EsetIpBlacklist.B</COLUMN>
      <COLUMN NAME="Application">D:\Exchange Install Dir\Bin\MSExchangeFrontendTransport.exe</COLUMN>
      <COLUMN NAME="Hash">8C10F7C821A250FDB04AFCB491CF74090700107D</COLUMN>
      <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN>
    </RECORD>

    <RECORD>
      <COLUMN NAME="Time">02/11/2022 07:44:28</COLUMN>
      <COLUMN NAME="Event">Security vulnerability exploitation attempt</COLUMN>
      <COLUMN NAME="Action">Blocked</COLUMN>
      <COLUMN NAME="Source">192.168.1.5:25</COLUMN>
      <COLUMN NAME="Target">175.100.117.22:48100</COLUMN>
      <COLUMN NAME="Protocol">TCP</COLUMN>
      <COLUMN NAME="Rule/worm name">EsetIpBlacklist.B</COLUMN>
      <COLUMN NAME="Application">D:\Exchange Install Dir\Bin\MSExchangeFrontendTransport.exe</COLUMN>
      <COLUMN NAME="Hash">8C10F7C821A250FDB04AFCB491CF74090700107D</COLUMN>
      <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN>
    </RECORD>

Marcos · November 2, 2022

A new firewall module will be put on the pre-release update channel probably this week. In the mean time, consider IP addresses for EsetIpBlacklist.B detections swapped, ie. the source is actually target and vice-versa.

FTL · November 2, 2022

@MarcosSo to confirm i am not infected then, its a bug in the software?

itman · November 2, 2022

10 minutes ago, FTL said:

So to confirm i am not infected then, its a bug in the software?

As I see it, external hackers are trying to attack your Exchange server via exploiting known vulnerabilities. Is your Exchange server fully patched with the latest Microsoft updates?

Marcos · November 2, 2022

15 minutes ago, FTL said:

@MarcosSo to confirm i am not infected then, its a bug in the software?

The detection is correct, the only issue is that the source and target IP addresses are swapped in the log.

DocLenny · November 2, 2022

I'm getting similar threats being alerted 99+ - probably 50-50 inbound and outbound from our exchange server.

All getting blocked but showing as not resolved.

C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe

Event:

Security vulnerability exploitation attempt

Detection name:

EsetIpBlacklist.B

Marcos · November 2, 2022

Your server is being attacked, that's normal if it's exposed to the Internet. Installing all available security updates won't prevent attacks but it's highly recommended to install them, e.g. in case that ESET is uninstalled in the future and won't block the attacks.

FTL · November 2, 2022

24 minutes ago, itman said:

As I see it, external hackers are trying to attack your Exchange server via exploiting known vulnerabilities. Is your Exchange server fully patched with the latest Microsoft updates?

Yup, all patched both Windows and Exch CU/SU, its as up to date as it can be

sklevtsov · November 11, 2022

@Marcos @itman Same here, we also getting lots of outbound connections blocked from Exchange server. All unresolved.

Is this the case of source and destination being swapped in logs and not some kind of C&C activity from Exchange? It looks very suspicious.

We have our Exchange patched, conducted ESET full scan - no indicators of malware.

Marcos · November 11, 2022

Yes, EsetIpBlacklist.B detection is swapped in logs. It will be fixed through a network protection module update soon.

VlP · December 20, 2022

Hi.

Is it resolved now? I still see some swapped detections in logs....

Marcos · December 20, 2022

The new firewall module 1249 is planned for Jan 2023.

iceone213 · February 17, 2023

Was it fixed? Still seeing the source and destination being swapped as of 17 Feb 2023.

Marcos · February 17, 2023

It will be fixed in the Firewall module 1428.3 which will be most likely put on the pre-release update channel next week with the regular update channel to follow gradually.

Sign In

EMSX Blocked Exchange Outbound connections

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Quick search

FAQ

Topics