Exchange 2003 Server hijacked, need help!
Posted on 2007-11-28
This morning one of our users brought to my attention about 10,000 returned emails sent from his account.
My first assumption was that someone was spoofing his address and spamming, but upon further investigation I am thinking his account was hijacked.
I found this in the event log this morning:
Special privileges assigned to new logon:
User Name: username
Logon ID: (xxxxxxxxx)
This was from about 4:45AM. I am not sure what exactly this means, but I do know he was not working at that time. At about 5AM the mail queues started filling up with outbound mail on our default smtp virtual server.
I have changed his account type and password, but I am not sure what else I need to do to make sure this issue is resolved. I also need recommendations on settings to check to make sure our Exchange 2003 server is secure.
I am not an exchange expert, so please be nice. However since this is an urgent issue for me I will be giving out 500 points.