Virus? Syn flood? Exchange Server

[teqmod]

First off, I am not 100% sure where I should post this one but this seems like a logical starting point. I have a 2k3 SP1 server running Exchange 2003. Last night I started receiving alerts from our firewall (Cisco PIX) stating "TCP connection denied from ExchangeServer/port to 10.0.0.2/25 flag SYN" Well the firewall did its job but I have gone through the Exchange server and not seen anything. This alert comes on the inside interface on the firewall so I do not believe it is an outside attack. I have run a virus scan on the server and turned up nothing. The Cisco error is so generic it is hard to do a search to try and locate the problem. This error comes every 15 minutes on the dot and just started last night. Has anyone seen this sort of issue before or have any idea where I can go to start looking for the cause?

 

[itsp1965]

Any host on a 10.x.x.x network is internal (non-internet traffic). Have you identified the device at 10.0.0.2? As you say it may be "innocuous" in nature, but to be on the safe side, may be you should track down the device and shutdown whatever network port it is connected on.

 

[teqmod]

We are not using the 10.0.0.X address space on our network so there is no 10.0.0.2 machine. The server is trying to connect to the smtp port which leads me to think it is trying to propogate something out. Since we do not use this address space I am certain this is not a legitimate connection. Since this server is connected to the outside world and is responsible for mail I am a bit concerned. It does not have a public IP but is natted through the firewall.

 

[teqmod]

Here is a capture from Netstat:

Proto Local Address Foreign Address State PID
TCP 192.168.1.234:16568 10.0.0.2:25 SYN_SENT 1620
[inetinfo.exe]