Virus on Exchange Server? Constantly pinging external IPs on Port 445
Hi Experts
I got an e-mail the other day from my ISP saying that there is unusual activity coming from my location and that I should look into it. Apparently my Exchange server (which I setup 2 weeks ago) has been hacked (I am assuming) and it was pinging external IPs on ports 139 and 445.
After I got the message from the ISP I blocked all WAN traffic on my firewall on those ports. The ISP reported that the traffic stopped. Now I have all of this blocked traffic showing up in my logs (pasted below) and i seems to be causing the logon time for the users of my network to be close to 20 minutes when it is usually less than 1 miniute.
My biggest problem right mnow is that I can not figure out what is running on my Exchange server that is causing all of these issues. I have done virus scans and used the Malicious software scanning tool from Microsoft. I have also scanned for Slammer and nothing is coming up.
I am hoping someone out there can share some insight as to what is going on with my server.
Thanks Mucho!
**************LOG FILE**********************
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18807->152.9
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18808->87.17
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18809->142.2
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18810->149.1
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18811->80.60
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18812->80.44
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18813->80.11
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18814->152.6
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18815->155.1
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18818->157.1
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18819->167.1
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18820->159.4
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18821->84.11
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18822->207.2
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18823->18.95
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18824->139.1
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18825->128.1
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18826->65.12
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18827->71.62
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18828->121.6
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18829->125.1
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18830->146.5
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18831->81.12
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18832->70.52
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18833->68.24
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18834->144.7
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18835->81.28
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18836->8.158
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18837->142.6
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18838->222.2
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18839->147.1
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18840->58.13
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18841->87.11
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18842->82.2.
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18843->89.21
I got an e-mail the other day from my ISP saying that there is unusual activity coming from my location and that I should look into it. Apparently my Exchange server (which I setup 2 weeks ago) has been hacked (I am assuming) and it was pinging external IPs on ports 139 and 445.
After I got the message from the ISP I blocked all WAN traffic on my firewall on those ports. The ISP reported that the traffic stopped. Now I have all of this blocked traffic showing up in my logs (pasted below) and i seems to be causing the logon time for the users of my network to be close to 20 minutes when it is usually less than 1 miniute.
My biggest problem right mnow is that I can not figure out what is running on my Exchange server that is causing all of these issues. I have done virus scans and used the Malicious software scanning tool from Microsoft. I have also scanned for Slammer and nothing is coming up.
I am hoping someone out there can share some insight as to what is going on with my server.
Thanks Mucho!
**************LOG FILE**********************
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18807->152.9
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18808->87.17
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18809->142.2
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18810->149.1
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18811->80.60
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18812->80.44
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18813->80.11
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18814->152.6
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18815->155.1
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18818->157.1
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18819->167.1
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18820->159.4
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18821->84.11
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18822->207.2
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18823->18.95
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18824->139.1
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18825->128.1
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18826->65.12
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18827->71.62
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18828->121.6
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18829->125.1
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18830->146.5
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18831->81.12
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18832->70.52
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18833->68.24
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18834->144.7
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18835->81.28
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18836->8.158
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18837->142.6
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18838->222.2
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18839->147.1
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18840->58.13
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18841->87.11
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18842->82.2.
Nov 29 15:16:07 2006 Connection Refused - Policy violation TCP 192.168.1.136:18843->89.21
check you are not open for relay as well
ASKER
No, its my server. My servers internal IP is 192.168.1.136, I'm behind a gateway and I forward traffic to my server from the firewall.
The server has definitly been comprimised.
The server has definitly been comprimised.
ASKER
"check you are not open for relay as well"
Is this turned on by default because I never turned it on (or off if it is open out of the box)
Is this turned on by default because I never turned it on (or off if it is open out of the box)
no its closed out of the box
ASKER
Its closed
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Simon.....I kind f figured that would be my only option.
Now the big question.....can someone point me in the direction of how to backup all my Exchange users, groups, and contacts as well as mailboxes. I don't to lose any of that and I am hoping to save some time after I reinstalled Windows by importing the Exchange settings......IS this at all possible :-(.?????
Thanks
Bryan
Now the big question.....can someone point me in the direction of how to backup all my Exchange users, groups, and contacts as well as mailboxes. I don't to lose any of that and I am hoping to save some time after I reinstalled Windows by importing the Exchange settings......IS this at all possible :-(.?????
Thanks
Bryan
Hope this helps!