• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 242
  • Last Modified:

Exchange 2000 Server compromised?

Hi -

When troubleshooting an on-and-off blacklisting issue for one of our clients, I habitually looked at the 'Allowed IPs' in the ESM.  What blew my mind was when I found an external IP listed - 75.126.45.162.  

Once I removed the IP address, as you may guess the IP address was delisted the same day.

To me, there isn't any logical reason it would be there other than someone purposely placing it there.   But why?   Puzzling.  

It's running on Windows 2000 Sp4
Exchange Server 2000 Sp3
Trend Micro A/V

Ideas?
0
trivalent
Asked:
trivalent
1 Solution
 
Yancey LandrumTechnical Team LeadCommented:
My guess (and that's all it is) is that you have a developer there who is using CodeWarehouse, and wanted to make sure s/he could get e-mails from them. S/he added their website IP address to "Allowed IPs" thinking that this would "whitelist" them.

This is why developers should not have admin access to servers!
0
 
trivalentAuthor Commented:
We still have not uncovered the culprit on this part - but in the end, the blacklisting was caused by a laptop on the network (the CFO's laptop) that was filled with every bit of malware available.  
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now