4,659 questions
Ghost process connecting form my PC to 587 port on mail server
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 8%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
Labsy
36
Reputation points
Hi,
on my PC I have obviously some ghost process or malicious app, which is repeatedly connecting to port 587 (SMTP TLS) to my mail server. I can see on mail server logs:
Mar 14 21:07:02 seven postfix/submission/smtpd[29102]: disconnect from six.mynetwork.com[1.2.81.25] ehlo=2 starttls=1 auth=1 quit=1 commands=5
Mar 14 21:07:12 seven postfix/submission/smtpd[29102]: connect from six.mynetwork.com[1.2.81.25]
Mar 14 21:07:12 seven postfix/submission/smtpd[29102]: Anonymous TLS connection established from six.mynetwork.com[1.2.81.25]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 14 21:07:12 seven postfix/submission/smtpd[29102]: disconnect from six.mynetwork.com[1.2.81.25] ehlo=2 starttls=1 auth=1 quit=1 commands=5
So I dig into finding source, who's connecting from my network:
- I thought, it must be Outlook. Nope, it is not - I closed it, verified it is closed, still every 10 seconds same 587 auth request against mail server.
- OK, let's run TCPView and find guitly process. Nope, TCPView does not show any connection to port 587 at all!!!???
- Netstat...Nope, it dos not see any TCP connection to 587 either. Emmm... this is becoming scary.
- Maybe it's one of 2 Antiviruses. I turned OFF ESET and MBAM AV, but nope, this does not stop authentication against 587.
- Closed all apps and killed each and every non-essential process... but nope, auth requests via 587 towards my mail server are still coming from my PC.
Any idea how should I find this ghost process? I guess my PC might be compromised.
EDIT: SOLVED!
By using ProcMon I created view filter to display only process paths, which include "587" in it and it revealed VeeamDCS.exe process. All clear now, it was trying to send me notifications, using outdated credentials.
BUT question remains: how did not other tools, like TCPView and NETSTAT reveal this process in relation with port 587? Actually, above mentioned tools did not reveal ANY process related to port 587. How is this possible? Might it be Windows 11 weird in that manner? Or or weird VeeamDCS.exe process?
Windows for business | Windows Client for IT Pros | Networking | Network connectivity and file sharing
{count} votes
-
-
Labsy 36 Reputation points
2022-03-14T23:43:24.15+00:00 Thanx, but Procmon from the same author did its job: It is VeeamDCS.exe, part of Veeam ONE monitoring, trying to send notifications and authenticating with old credentials. Weird, I do not see this process + port 587 combination with other tools, like TCPViewm NETSTAT and others. I can seee the process though, but NOT related to port 587. Might be that Windows 11 are weird in this manner...
Sign in to comment
Sign in to answer