Solved

SBS 2003 Server must be rebooted every other day

Posted on 2011-02-23
19
381 Views
Last Modified: 2012-05-11
I support a SBS 2003 server that is fully updated and patched.  It was hacked into 9 days ago and used as a Spam relay.  I have fixed that situation and cleared out over 200K messages that backed up in the queues.

I loaded always on Malwarebytes and saw it blocked outgoing connections for the first 4 days, but has not had any since then.  I also blocked several sites in AU and  at the Watchguard firewall that kept trying to get into the server.  I have run several programs to look for rootkits, but found none.

Right now,  The Exchange queues are fine, except maybe 4 or 5 random 'bogus' sites that appear daily with messages from our postmaster.  The problem is: after about two days, activity on the LAN crawls to a halt.  When you try to login to the server console, it takes over 15 minutes to show the desktop (either at the server or via TS.)  After rebooting the server, login at the server is back to normal (within 30 seconds), and LAN traffic is fine.  Maybe a day or two later, back to a crawl and server must be rebooted again.

I'm going onsite again right now to work on it.  What would be my next steps?

One other oddity: In Exchange System Manager, when I go into properties of the Exchange server, and I click on the Diagnostics Logging tab (to look at something I read must be adjusted after this type of attack), the program completely hangs.

0
Comment
Question by:TSKC-Inc
  • 8
  • 8
  • 2
  • +1
19 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34965877
How did you solve your spam relay problem?
0
 

Author Comment

by:TSKC-Inc
ID: 34965946
Thanks for the quick response!  Kind of wierd way... this server was setup like all my others (but I do not classify myself as an expert.)  The actual Exchange server is locked in the position I mentioned, but from memory I:
1) Properties of Default (and only) SMTP server
2) Access Tab, Relay button, only the list below was checked
3) 192.0.0.2 was in the list (which I usually do not have), along with the actual LAN IP
4) Deleted 192.

Tested immediately, no longer a relay
0
 
LVL 3

Expert Comment

by:Hayborne
ID: 34965964
When you say the LAN/server is at a crawl, is the server using 100% CPU usage?  If so, what process is using it?
0
 

Author Comment

by:TSKC-Inc
ID: 34966002
I have not been onsite when that happens.  I am about to go onsite now.  I was TS'ed in, but locked up the server going to the Exchange Diag Logging tab.  Had to break the TS connection.  Now server will not let me back in.  I'll stay here 15 more minutes to answer questions (until 6:00 CT) before making the 40 minute drive to get onsite.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34966027
Okay - the chances are you have not actually resolved your problem as you may have been an authenticated relay not an open relay.

The slow server responses is probably down to your server being flooded with spam again and fighting to get it out.

Are you blacklisted anywhere?  www.mxtoolbox.com/blacklists.aspx / www.blacklistalert.org - if you are - follow the links and see when you were last listed.
0
 
LVL 5

Expert Comment

by:ccns
ID: 34966055
goto add / remove and windows components, and install network monitor and see if you can find anything untoward in there... and filter/ go from there.
0
 

Author Comment

by:TSKC-Inc
ID: 34966056
That makes sense.  We are not blacklisted on anyone (or have been since this started) except for Barracuda.  Never on CBL, or SORBS.

Client removed himself from Barracuda this morning.  Just checked, on none right now.

Even though I cannot remote into the server, their IIS website is still up:
http://12.189.231.234/Default.aspx
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34966067
Okay - sounds good.  Anything sitting in the Exchange Queues at the moment?
0
 

Author Comment

by:TSKC-Inc
ID: 34966070
alanhardisty:  If spam trying to get out, wouldn't I see 1000's of queues like before?  Not seeing them since closing the open relay (except for the 4 or 5 mentioned earlier.)
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34966086
Yes - you would be seeing lots of messages in the queues if you were still spamming.

Just making sure you were not an authenticated relay!!

Is the server up-to-date on patches / Service Packs for Windows and Exchange?
0
 

Author Comment

by:TSKC-Inc
ID: 34966099
Yes; thanks again for the quickness of response.  Leaving now to go onsite.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 34966103
It seems that even trying to get to OWA is impossible.

Might be worth installing Exchange 2003 SP2 again - it quite often resolves issues without breaking anything!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34966109
FYI - I'm heading to bed now so will catch you again in the morning.  Just gone Midnight for me.
0
 

Author Comment

by:TSKC-Inc
ID: 34966349
Onsite now.

Thanks Alan: I was thinking Installing Exchange SP2 again was my next step.
0
 
LVL 3

Expert Comment

by:Hayborne
ID: 34966428
I'm too in the UK and it's now 1.20 am (need to sleep), good luck, hope SP2 sorts it.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34967898
Morning!  How did you get on?
0
 

Author Comment

by:TSKC-Inc
ID: 34971523
Good morning Alan,

Windows updates would work now & downloaded over 70 last night, but did not have time to re-install Exchange SP2.

Reviewed the Event Logs while waiting for all downloads; so many errors now.  This used to be a very clean server.  It is 5 years old & client would only have me review it every 6 months, but never problems like appear now.  Makes me think a complete re-install of OS might be best thing, although would hate to do that and then find it is a hardware error.

We are just monitoring it right now.  After a reboot, login at server console gets the desktop to appear within 25 seconds.  If you then log out and try to log back in, desktop takes over 5 or 10 minutes to appear.  This seems like the major problem to be tackled first. (it also makes me think it is not a hardware issue.)  What should I do to try fixing this?  Client will just reboot the server daily to keep office (with 20 PCs) running.  Server access only degrades over a day or two; it has been stable for up to 20 hours after each reboot.

Thanks again for your interest.  I really appreciate it.  Steve
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34974324
Might be prudent to run a disk check - just in case.
0
 

Author Closing Comment

by:TSKC-Inc
ID: 35024081
Exchange server seems fine now.  Real problem was the hacker modified the DNS forwarder & one of the root hints.  Once found & fixed; server acting much better, but not perfect.  2nd login to server after a reboot still takes 3 to 5 minutes, where 1st login after reboot takes 15 seconds.
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now