TCP Port 30005 associated with Process ID store.exe
Has anyone seen client connections to an Exchange 2003 server using TCP Port 30005 associated with process ID store.exe? We see hundreds of these connections on our network and yet no supported document says TCP port 30005 is a known exchange port.
Quick searches show it to be Backdoor.JZ however we've done cleans and check the registry and the server or clients show no symptoms of this malware/virus.
Anyone out there have an idea?
October 25th, 2011 10:27am
I would have thought it's related to RPC calls.
Maybe take a WinDUmp and check.Sukh
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2011 4:33pm
On Tue, 25 Oct 2011 14:18:21 +0000, ShaunGuthrie wrote:
>Has anyone seen client connections to an Exchange 2003 server using TCP Port 30005 associated with process ID store.exe? We see hundreds of these connections on our network and yet no supported document says TCP port 30005 is a known exchange port. Quick
searches show it to be Backdoor.JZ however we've done cleans and check the registry and the server or clients show no symptoms of this malware/virus.
>
>Anyone out there have an idea?
Connections to the store may use any port above 1024. The store may
listen on a static port (if you assign one), and it _usually_ listens
on a port number somewhere around 1026, but that depends on what ports
are already in use when the store process starts.
http://technet.microsoft.com/en-us/library/bb331973(EXCHG.80).aspx
http://technet.microsoft.com/en-us/library/bb331973.aspx
3rd-party products may also establish connections (e.g. Blackbery
Enterprise server) using RPCs.
'netstat -ano |find ":30005" ' should show you the process number that
"owns" the port.
This is old, but it may still work:
http://www.microsoft.com/download/en/details.aspx?id=9964
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
October 25th, 2011 5:42pm
The PID is 9252 which is the Store.exe which I had mentioned. Because of seeing Port 30005 listed as this malware/virus that's what had my concerned. If in fact the store can use any port about 1024 then this may be the case. Just found
it odd.
Thanks for the help
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2011 5:58pm