Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 508
  • Last Modified:

Exchange user monitor

There are two users in the organization who are constantly sending packets even though the company is closed and no one is working. Excessive user activity is reported by ExPta and I have located the users by using exchange user monitor. The report is attached. Running exchange 2003 sp2 on win server 2003 enterprise sp2.
I want to know what is goingn on with these two users and how to stop the activity. Thanks.
user-monitor.csv
0
sergenet
Asked:
sergenet
  • 5
  • 2
  • 2
2 Solutions
 
Andrej PirmanCommented:
Your USER-MONITOR.CSV file is empty (at least it appears to have only column headers, no usefull data).

My suggestion would be to examine those computers on-site, first by analyzing network traffic. Type:
Open command prompt and type:
NETSTAT -an
and you should see which connections are open/established.
If you see any connections to/from port 25, it is most probably some troyan or virus, which is trying to send spam.
also, it might be some Torrent or p2p application, connecting to outer world.
0
 
sergenetAuthor Commented:
Will do and report back. Thanks.
0
 
sergenetAuthor Commented:
Got the following on the user computer.
netstat-report-SK.doc
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
sergenetAuthor Commented:
Can someone follow up with this question please?  Thanks.
0
 
sdelucCommented:
Sergenet,

This machine appears to have simple TCPIP services and IIS with FTP installed.  There is no reason to be running Simple TCPIP services.  Remove Simple TCPIP services and IIS if IIS is not needed and rerun the netstat -an.

 TCP    0.0.0.0:7              0.0.0.0:0              LISTENING
  TCP    0.0.0.0:9              0.0.0.0:0              LISTENING
  TCP    0.0.0.0:13             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:17             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:19             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:21             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:25             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:80            
0
 
sergenetAuthor Commented:
I stopped IIS and TCP services and even removed them from the windows programs and still TCP is running when I perform a netstat -an. I am attaching the report. What else could I do to stop those ports from being open? Thanks.
netstat-report-SK.doc
0
 
sdelucCommented:
Sergenet,

The PC is holding ports open to 10.0.11.5, 10.0.11.22, 10.11.202 which are your domain controller, file / print servers, correct?  This PC also has a connection to 216.52.233.217 for SSL traffic.  216.52.233.217 is registered to Log-Me-In.  This is probably what is causing your traffic.  Try stopping the Log-Me-In services.

Scott

0
 
Andrej PirmanCommented:
You only have Windows networking ports opened, nothing unusual.

What is concernign is a remote controll connection:
IP: 216.52.233.217
Host: LogMeIn (LogMeIn gives you the flexibility to access and control your computers from anywhere)

Is this somehow known to you?
0
 
sergenetAuthor Commented:
Yes. Logmein is ok. We use it to remotely login. If all others are ok, then we are set. Thanks to both of you.
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

  • 5
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now