Solved

Exchange 2003 SMTP Server Hacked with Auto sending of junk mails.

Posted on 2006-06-19
10
3,511 Views
Last Modified: 2013-12-04
Help! I am currently facing a huge problems with my Exchange SP-2 2003. Windows 2003 SBS and P-4-3ghz, 1GB RAM, 400GB harddrive.

The Exchange SMTP queue keeps trying to send out junk mails. The Virtual SMTP Server keeps growing in its number of mails like every 100 per second. it used to be 1000 per second until i did the following.

1) Disabled Outgoing SMTP server on router. Isolate external intrusion or spam relay
2) Shutdown all systems in the office.
 3) Stop outbound emails: to enable further troubleshooting, otherwise the system will hang as the SMTP will take up too much memory and crash the server
4) Stop Network Interface. The only network interface. To see if its internal or external factors causing the problem.
5) Stop Exchange Services
6) Deleted SMTP virtual server (reduced 1000 per seconds to 100 per seconds)
7) run Ewido scan to remove any known malwares (none found)
8) Updated Trend Micro officescan AV to latest virus def (it was already updated)
9) Netstat doesn’t show any strange behaviours (no known external ports)
10) Went into IIS to stop all running services (freed up more memory)

Running services that takes up most CPU Processes are:
1) Ewido (malware scanner)
2) PBE server (APC UPS Server)
3) DAVCDATA (IIS component)
4) LSASS, Explorer, Taskmgr, SVCHost, InetInfo

Please help?
0
Comment
Question by:cybera
  • 6
  • 4
10 Comments
 
LVL 32

Accepted Solution

by:
r-k earned 250 total points
ID: 16939873
I would suggest trying to narrow it down systematically.

The first thing to determine is where the problem is originating from - from the Exchange Server, or from one or more of the Workstations.

Can you explain if you have determined the above? From your description it seems like the problem is not the server but the workstations. Is that true? or are you not sure?

Start by reading this web page, esp. the section on cleaning up the queues and checking for where the email is originating: http://www.amset.info/exchange/spam-cleanup.asp
0
 
LVL 4

Author Comment

by:cybera
ID: 16939891
I manage to locate the answer actually from the same website you found.
http://www.amset.info/exchange/spam-cleanup.asp

I think this solves the problem. will try and monitor.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16939979
That's great. Did you discover the source of the problem. Was it the server being hacked or an open realy, or was it one of the workstations?
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 4

Author Comment

by:cybera
ID: 16940109
Its not workstation as I have sealed the ports to the server.
However, am still figuring out how did the attack came about.
You have any ideas?

I actually use a web based server, use exchange as internal mail resolution and collaboration tool, so i have a pop downloader working and send mails through smarthost through my ISP.

mails are still in queue now. am going to delete them now.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16940148
Before deleting all the mails, you may want to check the section in that above web page titled "Find the Problem".

It covers the most common reasons for this problem, e.g. open relay, NDR attack etc.
0
 
LVL 4

Author Comment

by:cybera
ID: 16949701
I think the problem is related to both OPen relay and NDR. now it has stabilized and has got about 80,000 mails to delete. Hopefully all will be well by end of today. If this is solved, I shall close this case and pass you the points.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16952670
Excellent. Thanks for the update.
0
 
LVL 4

Author Comment

by:cybera
ID: 16978797
Sorry. I tried both checks. I disabled the smtp services, and the mails all get deleted. But after I turned it on again, the same problem repeated itself.

I have followed instructions for Tarpit protection,
I have checked and made sure that no open relay is enabled as instructed by Microsoft,
and I made sure that NDR attack is taken care of as well.

Still, when i turned on the SMTP server, the whole problem re-surfaced! Strange... Any help?
0
 
LVL 4

Author Comment

by:cybera
ID: 16989256
I found the problem. Realized that its due to the queue folder that is jammed up. thats why the mails keep coming in. I found some good references which points to this problem.

Clearing the NDR emails that are stuck in the queue:

In Exchange Server 2003 or in Exchange 2000 Server, the Exchange Server queues are filled with many non-delivery reports from the postmaster account because of a reverse non-delivery report attack
Location of the stuck mails in the folder C:\Program Files\Exchsrvr\Mailroot\vsi 1\queue

Just delete off all mails stuck in the folder. The no. of files here can amount up to 20k. For us, the first time encounter with this problem, the number of emails amounted up to 26-thousanrd.

0
 
LVL 4

Author Comment

by:cybera
ID: 16989262
points will be rewarded to R-K because he is prompt in his response. and highlighted impt security factors that need to be considered.

Though he didnt actually solve the problem, i just want to thank and appreciate him for the effort he puts in.

Thanks for your help!
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question