Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

smtp / exchange exploited

Posted on 2009-05-11
3
Medium Priority
?
392 Views
Last Modified: 2012-05-06
I have a small business server running exchange 2003 sp2.  I know the server is exploited as I can see outbout port 25 traffic moving from the server through the firewall. It has been directing this traffic to an ISP in Las Vegas *.somecaptain.com.  There are NO entries in the exchage queues bound for such a domain.  The queues are backing up terribly because of this traffic and I need the email to flow.

If someone could just point me to some tools to dig into the smtp service a bit, I think I can probably find the problem, but I'm just not sure where to start.

I'm bleary-eyed and should probably provide some more detail, but i need a break and will check back here in a bit
0
Comment
Question by:sjonesin
3 Comments
 
LVL 4

Expert Comment

by:MattShadbolt
ID: 24360130
You're server is probably just relaying mail that it shouldn't be.

First of all, suspend the exchange queue's otherwise your IP will be blacklisted. Secondly, run a relay test (i like http://www.mxtoolbox.com/diagnostic.aspx). If that confirms the server is acting as an open relay then you can resolve the issue easily.

0
 
LVL 65

Expert Comment

by:Mestha
ID: 24363472
If Exchange had been compromised directly then you would see the messages in the queues. If you do not then it is something directly on the server outside of Exchange. That means you need to treat it in the same way that you would clean up a workstation that had been compromised. It also means that someone has been surfing from the server and has visited somewhere they shouldn't have, as almost all compromising of systems are now coming in via browsers.

Simon.
0
 

Accepted Solution

by:
sjonesin earned 0 total points
ID: 24364424
Thanks to both of you gentlemen.  I know relaying is denied.  

And yes, I understand the cleanup concept...Have AVG corporate installed and functioning, yet it didn't even give a hint of a problem, unfortunately.  I will continue my work today and keep you posted.  

Thanks,
steve

0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question