Solved

Virus on Exchange Server?  Constantly pinging external IPs on Port 445

Posted on 2006-11-29
8
779 Views
Last Modified: 2012-08-14
Hi Experts

I got an e-mail the other day from my ISP saying that there is unusual activity coming from my location and that I should look into it.  Apparently my Exchange server (which I setup 2 weeks ago) has been hacked (I am assuming)  and it was pinging external IPs on ports 139 and 445.

After I got the message from the ISP I blocked all WAN traffic on my firewall on those ports.  The ISP reported that the traffic stopped.  Now I have all of this blocked traffic showing up in my logs (pasted below) and i seems to be causing the logon time for the users of my network to be close to 20 minutes when it is usually less than 1 miniute.

My biggest problem right mnow is that I can not figure out what is running on my Exchange server that is causing all of these issues.  I have done virus scans and used the Malicious software scanning tool from Microsoft.  I have also scanned for Slammer and nothing is coming up.

I am hoping someone out there can share some insight as to what is going on with my server.

Thanks Mucho!

**************LOG FILE***********************

Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18807->152.94.119.33:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18808->87.170.33.34:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18809->142.251.55.248:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18810->149.151.150.199:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18811->80.60.241.100:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18812->80.44.252.27:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18813->80.118.122.113:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18814->152.68.85.232:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18815->155.103.243.83:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18818->157.118.168.236:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18819->167.115.103.233:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18820->159.48.189.224:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18821->84.119.128.0:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18822->207.229.200.44:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18823->18.95.150.162:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18824->139.178.236.238:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18825->128.18.154.18:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18826->65.129.195.204:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18827->71.62.242.138:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18828->121.68.132.192:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18829->125.121.107.91:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18830->146.59.131.80:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18831->81.121.42.103:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18832->70.52.64.122:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18833->68.242.237.102:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18834->144.71.150.245:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18835->81.28.167.90:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18836->8.158.186.80:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18837->142.60.125.65:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18838->222.224.224.158:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18839->147.102.210.243:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18840->58.134.143.53:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18841->87.119.7.189:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18842->82.2.188.156:445 on ixp0
Nov 29 15:16:07 2006    Connection Refused - Policy violation    TCP 192.168.1.136:18843->89.218.252.236:445 on ixp0


0
Comment
Question by:xactdesign
8 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 18040285
What machine internally has the IP address 192.168.1.136?  That's the machine that is creating the traffic.  My guess is that it's a workstation, not your server, that has been compromised.

Hope this helps!
0
 
LVL 16

Expert Comment

by:poweruser32
ID: 18040329
check you are not open for relay as well
0
 
LVL 2

Author Comment

by:xactdesign
ID: 18040347
No, its my server.  My servers internal IP is 192.168.1.136, I'm behind a gateway and I forward traffic to my server from the firewall.

The server has definitly been comprimised.
0
 
LVL 2

Author Comment

by:xactdesign
ID: 18040365
"check you are not open for relay as well"

Is this turned on by default because I never turned it on (or off if it is open out of the box)
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 16

Expert Comment

by:poweruser32
ID: 18040387
no its closed out of the box
0
 
LVL 2

Author Comment

by:xactdesign
ID: 18040437
Its closed
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 18040446
139 and 445 are NETBIOS ports.
As the machine should not be looking at netbios ports I would therefore conclude that the machine has been compromised.

Trying to clean a compromised machine is a pointless exercise. Get your data off the machine as quickly as you can change your administrator password and reboot all servers and make your users change all of their passwords and reboot. That machine needs to be wiped and rebuilt. Nothing else will guarantee to get the machine clean.

Rebuild it and install all of the latest patches and updates from Microsoft before even considering putting it back on the internet.
Ensure that the number of ports that are open to the internet are limited. Exchange only needs two - 25 (SMTP) and 443 (HTTPS). You do not need any other ports.

Simon.
0
 
LVL 2

Author Comment

by:xactdesign
ID: 18041610
Thanks Simon.....I kind f figured that would be my only option.

Now the big question.....can someone point me in the direction of how to backup all my Exchange users, groups, and contacts as well as mailboxes.  I don't to lose any of that and I am hoping to save some time after I reinstalled Windows by importing the Exchange settings......IS this at all possible :-(.?????

Thanks
Bryan
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange 2010 services started but Outlook not connecting 2 39
iPhone excel activation issues 11 68
Exchange 2007 not reaching Rackspace servers 7 29
DHCP server 6 48
Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now