Exchange Compromised? Possible Botnet
I'm having an issue with an Exchange 2003 server where the Queue is slowly filling up with emails it can't send (remote servers come back non-responding). The emails are all over the board and I can't find a common thing. For a while the big email target was fbi.gov, not it seems to be Western Union. I have scanned for viruses and malware on all the PCs of the clients computers, but come up with nothing. They have a WatchGuard X55e firewall, so logging is sparse. I assume I have some sort-of botnet on the network somewhere, but I am having trouble tracking it down. Exchange is running on an SBS2003 server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi protechcol,
What do the current sessions under your protocols -> SMTP look like (any pattern there) ?
Thanks
Pine
What do the current sessions under your protocols -> SMTP look like (any pattern there) ?
Thanks
Pine
ASKER
Mutahir, no the client doesn't send to FBI or Western Union. They are a small local construction company. I will read Alan's article and see if it answers my problem.
pine_nel1, at this very moment the current sessions are empty (not sure anyone is in office yet either). But before I saw something along the lines of each Exchange user had 10 connections and then there was a bunch of random SMTP_<jumble of letters and numbers> connections.
pine_nel1, at this very moment the current sessions are empty (not sure anyone is in office yet either). But before I saw something along the lines of each Exchange user had 10 connections and then there was a bunch of random SMTP_<jumble of letters and numbers> connections.
check on www.mxtoolbox.com
to see if your server is an open relay
http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm
follow the article too and verify if your system isn't relaying .
to see if your server is an open relay
http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm
follow the article too and verify if your system isn't relaying .
ASKER
I know it's not an open-relay. That was actually the first thing I thought when this all started. I had read an article similar to Alan's article, and already changed settings for an NDR Attack which cut down on the emails considerably but not completely. I used Alan's information on Authenticated Relay to find out I had 2 AD accounts compromised. So I disabled one (no longer used) and changed the password on the other. I will continue to monitor this but I do believe we are good to go now. Thanks.
Thats great, Alan's article has helped alot of people around here and in general.
Glad that it has helped.
Glad that it has helped.
ASKER
The suggested article was exactly what I needed, because unfortunately I was victim to both types of attack, not one or the other as most articles reflect.
Have a read through of the article
Also, make sure that on your firewall only exchange server is allowed to use Port 25 and no client pcs (not directly related to this problem but helps)