Exchange user monitor

There are two users in the organization who are constantly sending packets even though the company is closed and no one is working. Excessive user activity is reported by ExPta and I have located the users by using exchange user monitor. The report is attached. Running exchange 2003 sp2 on win server 2003 enterprise sp2.
I want to know what is goingn on with these two users and how to stop the activity. Thanks.
user-monitor.csv
sergenetAsked:
Who is Participating?
 
Andrej PirmanCommented:
Your USER-MONITOR.CSV file is empty (at least it appears to have only column headers, no usefull data).

My suggestion would be to examine those computers on-site, first by analyzing network traffic. Type:
Open command prompt and type:
NETSTAT -an
and you should see which connections are open/established.
If you see any connections to/from port 25, it is most probably some troyan or virus, which is trying to send spam.
also, it might be some Torrent or p2p application, connecting to outer world.
0
 
sergenetAuthor Commented:
Will do and report back. Thanks.
0
 
sergenetAuthor Commented:
Got the following on the user computer.
netstat-report-SK.doc
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
sergenetAuthor Commented:
Can someone follow up with this question please?  Thanks.
0
 
sdelucCommented:
Sergenet,

This machine appears to have simple TCPIP services and IIS with FTP installed.  There is no reason to be running Simple TCPIP services.  Remove Simple TCPIP services and IIS if IIS is not needed and rerun the netstat -an.

 TCP    0.0.0.0:7              0.0.0.0:0              LISTENING
  TCP    0.0.0.0:9              0.0.0.0:0              LISTENING
  TCP    0.0.0.0:13             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:17             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:19             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:21             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:25             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:80            
0
 
sergenetAuthor Commented:
I stopped IIS and TCP services and even removed them from the windows programs and still TCP is running when I perform a netstat -an. I am attaching the report. What else could I do to stop those ports from being open? Thanks.
netstat-report-SK.doc
0
 
sdelucCommented:
Sergenet,

The PC is holding ports open to 10.0.11.5, 10.0.11.22, 10.11.202 which are your domain controller, file / print servers, correct?  This PC also has a connection to 216.52.233.217 for SSL traffic.  216.52.233.217 is registered to Log-Me-In.  This is probably what is causing your traffic.  Try stopping the Log-Me-In services.

Scott

0
 
Andrej PirmanCommented:
You only have Windows networking ports opened, nothing unusual.

What is concernign is a remote controll connection:
IP: 216.52.233.217
Host: LogMeIn (LogMeIn gives you the flexibility to access and control your computers from anywhere)

Is this somehow known to you?
0
 
sergenetAuthor Commented:
Yes. Logmein is ok. We use it to remotely login. If all others are ok, then we are set. Thanks to both of you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.