Exchange 2003 Server hijacked, need help!

This morning one of our users brought to my attention about 10,000 returned emails sent from his account.

My first assumption was that someone was spoofing his address and spamming, but upon further investigation I am thinking his account was hijacked.  

I found this in the event log this morning:
Special privileges assigned to new logon:
       User Name:      username
       Domain:            domain
       Logon ID:            (xxxxxxxxx)
       Privileges:      SeSecurityPrivilege

This was from about 4:45AM.  I am not sure what exactly this means, but I do know he was not working at that time.  At about 5AM the mail queues started filling up with outbound mail on our default smtp virtual server.

I have changed his account type and password, but I am not sure what else I need to do to make sure this issue is resolved.  I also need recommendations on settings to check to make sure our Exchange 2003 server is secure.

I am not an exchange expert, so please be nice.  However since this is an urgent issue for me I will be giving out 500 points.  

Who is Participating?
SembeeConnect With a Mentor Commented:
Exchange doesn't respond with *************

Normally you would see something like this:

220 Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at
  Thu, 29 Nov 2007 16:22:25 +0000

The queues increase in time for the retry as the time increases, but after 10 hours you should have seen something. Although Exchange by default will timeout all the messages after 48 hours, so the messages may go on their own.

Well, the user had access to changing the group membership? Was that user an administrator?
This kind of message appear when an administrator log on.

thirdlifesAuthor Commented:
This user was an administrator.  The account is just a domain user as of this issue coming to light.

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

thirdlifesAuthor Commented:
It still seems like spam is being sent out from that users account.  Even though I changed the password.

Where would I check to see if I have an open relay?  
Another issue:
Seems that we are not getting incoming email from outside the office.  :\
To determine where the spam is being sent from, view the headers of the bounced messages.  That should show the path the message took - if your server isn't listed, then it was likely generated outside your organization.

You could also turn on message tracking and view messages that have been sent to see if it is in fact coming from their account.
thirdlifesAuthor Commented:
Message Tracking is enabled and it does show thousands of emails being sent from this user with the subject line of Claim Now.

First, make sure your server isn't a relay and then check that users system to see if its being sent from there.  
thirdlifesAuthor Commented:
I am not sure how to check if my server is relaying without having telnet access outside of our office.

In the SMTP Virtual Server properties under Access the relay restrictions are set 'Only the list below' and the list is empty.

It does seem that we are not getting inbound or outbound email at the moment.  So know I am wondering if there is a bigger issue at hand.

The event logs do not show any errors other than those failed outgoing spam attempts.
thirdlifesAuthor Commented:
Well at this point I believe the only spam getting sent out is rejected mail from earlier today.  
I can send email outside the office, but I cannot telnet in or send inbound mail from an outside account such as gmail.

Anyone have any thoughts?  I am really stumped.
Very unusual for a user account to be targeted, unless the user has been careless with their password. The usual target is the administrator account for this type of attack.

Exchange ESM is notorious for not showing the true extent of the Exchange queues when the server has been attacked, so messages still being shown is not unusual.
I would suggest that you have a look at my spam cleanup article to begin with:

thirdlifesAuthor Commented:

I actually found that article in another post earlier today and did try most of the steps and that is when I noticed we were unable to get incoming mail.  I am not sure if I screwed something up or if there is something else going on.

I have not been able to telnet into my mail server from outside account at all today.  That is another issue that I am stumped on.  All the DNS and PTR records look correct.

I am going to call my ISP right now to see if they have any suggestions.
Can you telnet to the server from inside your network? If you can then the ISP has probably blocked port 25 because you are spamming. If you cannot telnet to the server inside then you have probably changed something that you shouldn't have. A common issue is where people turn off anonymous permissions on the SMTP virtual directory.

thirdlifesAuthor Commented:
Telnet internally seems to connect, but that is it.  The response I get is just a bunch of *****.
Then it just hangs.

I went through that entire article you wrote yesterday to try to take care of this issue, but it doesn't seem to be working.

The spam is actually being sent from a user's account here.  I determined that with the MSExchangeTransport events.

I changed the uses account type/password but it seems mail is still going out.   I then tried cleaning up the queues using a SMTP connector, but I do not think it worked. Is there suppose to be a folder/item in the queues with the same name as the smtp connector I created?

Sorry for all the questions but I pretty sure that we are still spamming.  :\

If you telnet internally and get a list of ********** then that isn't the Exchange server responding. That is most likely a Cisco PIX.
After changing the user's password, did you restart the SMTP Server service?

If the SMTP connector is working correctly then after the next retry time messages will appear in a single queue with the same name as the SMTP connector.

thirdlifesAuthor Commented:
"If you telnet internally and get a list of ********** then that isn't the Exchange server responding. That is most likely a Cisco PIX."

We have a Fortinet managed router through our ISP, but we have not had issues with telnet internallly before.

"After changing the user's password, did you restart the SMTP Server service? "
Yep several times.

If the SMTP connector is working correctly then after the next retry time messages will appear in a single queue with the same name as the SMTP connector."

Maybe I didn't wait long enough.  But I set this up about 10 hours ago and have not seen a new queue.  I also restarted the SMTP service after setting this up.
thirdlifesAuthor Commented:
My ISP was also not able to telnet into our server, but they did make sure the ports were open to our mail server.

Email is working both in/out for the first time since this problem arose, so maybe the system was just bogged down from the spam?

Either way I really do appreciate your help.  I know there is only so much you can help with without looking up my skirt, so to speak.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.