[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Virus Clean-up issues

Posted on 2006-11-03
4
Medium Priority
?
251 Views
Last Modified: 2010-03-06
Hi-

A few weeks ago, one of my clients' Win2K3 SBS server (running Exchange 2003) got infected with a virus (they had ignored my pleas for installing A/V software, so it never got done. Lo and behold, they finally got a virus infection...go figure!). Of course, your truly was left to clean up the mess, but that's why they hired me in the first place. It took a long time, and I don't know the name of the virus, since it ran on the server undetected, even AFTER installing A/V software with updated vdefs, and running multiple scans. However, I eventually located the offending EXE (it was a re-generating mutex), and was eventually able to kill it using a tool called "KillBox." This trojan had turned the server into  a spamming Zombie [server] and was sending out thousands of spam messages at once. My client is not totally convinced that the server is totally clean, in part because every night around 10-11PM the Exchange information store (store.exe) process runs a higher RAM utilitzation, which triggers an e-mail event to us (the administrators) - this time of day was usually when the trojan would kick-up its spam-sending activity before we "cleaned" it. below is the Alert message that is send nightly:

"Alert on <servername> at 10/28/2006 11:10:10 PM
The store.exe process is allocating more memory than usual.
Check to see if you are having problems with e-mail. If so, stop and then restart the Microsoft Exchange Information Store service.
You can disable this alert or change its threshold by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad."


Ok, after all that "background" information, here's my ACTUAL question:

Do you know of a utility (Microsoft OR third-party) that can create a report of the number of outbound messages on an hourly schedule, and possibly show me the outbound message numbers over the past 24 hours, to where we can see a trend in elevation of the outbound mail queue. I would like to see if there are message spikes at certain times of the day.

Any help would be greatly appreciated.

Thanks,
Brian
0
Comment
Question by:ethernet69
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 17869275
SBS can do that on its own. There are reporting functions built in.

Otherwise you could enable Message Tracking and then run some processes against the logs it processes.
http://www.amset.info/exchange/message-tracking.asp

However I would start with the built in reporting and see what that says.

Simon.
0
 

Author Comment

by:ethernet69
ID: 17869599
Simon-

I don't want to do message tracking, but rather I want to check the 'state' of the SMTP queue - I checked SBS reporting, but found nothing obvious in the Performance/Usage reports section that would show what I want to know :-(

Brian
0
 
LVL 104

Accepted Solution

by:
Sembee earned 1000 total points
ID: 17869677
There is definitely something in the SBS reports because it crops up on here every so often with people asking how "administrator" could send 2500 in 24 hours. SBS queries though are best put in the SBS topic area, where I expect Jeff will be able to confirm.

The only other way you would get something is to use logging on the SMTP virtual server, then something to process those logs. They are standard IIS formatted logs so are easily processed by any number of applications.

If that was one of my servers that had been compromised I wouldn't have repaired it. It would have had its data lifted and then been wiped. You cannot be sure what else has got on there.

I doubt whether this is bot related at all. Bots, trojans whatever you want to call them just don't use any applications on the host for sending their stuff. That makes them easy to spot.
Furthermore in my experience, if the Exchange server is being used to send email then it leaves a mess behind in the form of lots of undeliverable messages. Spammers lists are not known for being very clean.

As for the message you are getting, you do know that Exchange is designed to use as much RAM as it requires. You are also aware that Exchange runs nightly maintenance on its database. One of the time windows you can use for that starts at 11pm. You may want to check the maintenance window setting in ESM to see when this server is set to run.

Simon.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question