Has anyone seen client connections to an Exchange 2003 server using TCP Port 30005 associated with process ID store.exe? We see hundreds of these connections on our network and yet no supported document says TCP port 30005 is a known exchange port. Quick searches show it to be Backdoor.JZ however we've done cleans and check the registry and the server or clients show no symptoms of this malware/virus. Anyone out there have an idea?

I would have thought it's related to RPC calls. Maybe take a WinDUmp and check.Sukh

On Tue, 25 Oct 2011 14:18:21 +0000, ShaunGuthrie wrote: >Has anyone seen client connections to an Exchange 2003 server using TCP Port 30005 associated with process ID store.exe? We see hundreds of these connections on our network and yet no supported document says TCP port 30005 is a known exchange port. Quick searches show it to be Backdoor.JZ however we've done cleans and check the registry and the server or clients show no symptoms of this malware/virus. > >Anyone out there have an idea? Connections to the store may use any port above 1024. The store may listen on a static port (if you assign one), and it _usually_ listens on a port number somewhere around 1026, but that depends on what ports are already in use when the store process starts. http://technet.microsoft.com/en-us/library/bb331973(EXCHG.80).aspx http://technet.microsoft.com/en-us/library/bb331973.aspx 3rd-party products may also establish connections (e.g. Blackbery Enterprise server) using RPCs. 'netstat -ano |find ":30005" ' should show you the process number that "owns" the port. This is old, but it may still work: http://www.microsoft.com/download/en/details.aspx?id=9964 --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

The PID is 9252 which is the Store.exe which I had mentioned. Because of seeing Port 30005 listed as this malware/virus that's what had my concerned. If in fact the store can use any port about 1024 then this may be the case. Just found it odd. Thanks for the help