Exchange 2000 Server compromised?

Hi -

When troubleshooting an on-and-off blacklisting issue for one of our clients, I habitually looked at the 'Allowed IPs' in the ESM.  What blew my mind was when I found an external IP listed - 75.126.45.162.  

Once I removed the IP address, as you may guess the IP address was delisted the same day.

To me, there isn't any logical reason it would be there other than someone purposely placing it there.   But why?   Puzzling.  

It's running on Windows 2000 Sp4
Exchange Server 2000 Sp3
Trend Micro A/V

Ideas?
LVL 1
trivalentAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Yancey LandrumConnect With a Mentor Technical Team LeadCommented:
My guess (and that's all it is) is that you have a developer there who is using CodeWarehouse, and wanted to make sure s/he could get e-mails from them. S/he added their website IP address to "Allowed IPs" thinking that this would "whitelist" them.

This is why developers should not have admin access to servers!
0
 
trivalentAuthor Commented:
We still have not uncovered the culprit on this part - but in the end, the blacklisting was caused by a laptop on the network (the CFO's laptop) that was filled with every bit of malware available.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.