[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Emergency:  SOBER virus and Exchange server

Posted on 2005-05-17
10
Medium Priority
?
307 Views
Last Modified: 2013-12-04
I need help fast.  I have an exchange 2000 server and a client on my network is infected with the SOBER worm.  Unfortunatly I have scanned all my systems in house and all a re clean...as well as all my servers.

I have 3 clients that do SMTP/POP3 mail with us totaling about 150 users. i need to find out where this suff is comming from and fast.  any Sugestions would be appreciated.

Thanks

Mike
0
Comment
Question by:mnichols1202
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 16

Expert Comment

by:JammyPak
ID: 14020879
- block outbound port 25 on the firewall for all but the mail server (this way if someone internal is infected, you'll stop them from sending mail)
- for mail that you are receving, look in the 'received' headers of the message, and identify the machine that is initiating the message - that's the person that's out there on the Internet, infected with the worm - block them from coming into the firewall

longer term: get a virus scanner for the mail server so it will block this before the user sees it, or put a mail gateway in place in front of the Exchange server (so it doesn't get overloaded)
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 14022216
im confused about what is going on..... you first you say your network is infected with the sober worm, then in the very next sentence you say all your systems are clean?  which is it?
0
 
LVL 20

Expert Comment

by:nedvis
ID: 14023108
Use this updated Stinger Antivirus removal tool from McAfee with updates definitions for Sober.p  :
http://downloads.utep.edu/dats/removal/stinger.exe

nedvis
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 16

Expert Comment

by:JammyPak
ID: 14023554
my assumption was that they are receiving loads of virused emails
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 14026593
mnichols1202.... where are you??? we can't help you unless you answer our questions so we know exacly whats going on.
0
 

Author Comment

by:mnichols1202
ID: 14028305
Sorry all... This problem pulled me off site yesterday.. so i was unable to check this stream...

Mikeleebrla,  my post above states that my local network and servers are clean.  The problem is the external users that have email service with us.  Those systems are on sites in different states and are beyond my manangement control.  What I need to be able to do is find out exactly where this is comming from.    So far it actually looks like the email is comming through my exchange SMTP service so the email header is useless (at least so far) and blocking port 25 will not really be effective.

I have scanned every system i can get my hands on and nothing is infected.  

A technique that would allow me to log exchange SMTP user activity might help -  (just look for the most active user(s)) but I'm unable to figure out how thats done.  

Any additional help would be appreciated.  And again sorry about the delay.....




0
 
LVL 20

Assisted Solution

by:nedvis
nedvis earned 200 total points
ID: 14028647
As an administrator as soon as posible , you should send circular e-mail letter to your Exchange 2000 server users ( 150) prompting them to run Sober removal freeware tool with the links where they can download tools.

nedvis
0
 
LVL 16

Assisted Solution

by:JammyPak
JammyPak earned 600 total points
ID: 14028874
ok, the email is coming from your Exchange server, or to it?

can you explain a little better just what exactly is happening?

if someone is infected with the worm, they will be generating and sending the emails themselves - they will not be using the Exchange server to do so. So, I'm guessing that someone is infected, and they are sending emails to your users (in this case, your mail server is just receiving the emails)
- in this case, the person could be outside of your control completely (it could be anyone), and you just need to block them at your incoming firewall or set the Exchange server to reject them as a sender. Either that, or get an AV solution to block the virused emails.

Regardless, your Exchange server would not be generating the emails itself, unless the worm is infected on the actual server itself, which is pretty unlikely.

You should be able to see the originating sender in the email header. You could also run Network Monitor and capture the traffic to/from the Exchange server - if the infected person is internal, this should catch it and identify the host.

The other thing that sometimes happens is that the Exchange server gets overloaded trying to generate NDRs for all the bogus emails that it is receiving from an infected user (internal or external). This can temporarily be turned off
see here: http://msmvps.com/bradley/archive/2003/12/20/1220.aspx


0
 
LVL 32

Accepted Solution

by:
r-k earned 1200 total points
ID: 14031175
Have you tried the Message Tracking feature in Exchange?

See, e.g.

 http://www.windowsitpro.com/Windows/Article/ArticleID/16006/16006.html

0
 

Author Comment

by:mnichols1202
ID: 14037406
Thanks all for your help.  R-K you solution did it for me I was able to identify the ip of the offending machine in seconds after starting the logging feature.

Split points for all - However r-k will get the lions share!

0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Loops Section Overview
Screencast - Getting to Know the Pipeline
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question