Solved

Blocked because of virus

Posted on 2011-03-02
20
2,939 Views
Last Modified: 2013-12-09
I am having this issue here. My server cannot go into the internet and and mails cannot send out to external email. However, external email can come into my server.

I launch internet explorer and this is what i receive (see attached). I did a full system scan using superantispyware and symantec endpoint v 11. Nothing found. Reset my IE settings but to no avail.

I cannot ping to any external site. eg Google, yahoo etc2

machine: windows server 2008 OS
Application running: Exchange 2010
IE.jpg
0
Comment
Question by:moombaz
20 Comments
 
LVL 6

Expert Comment

by:Tonypeswani
ID: 35015954
Can you able to ping the default gateway as well as able to access the internal shares?

Thank you.
0
 
LVL 1

Author Comment

by:moombaz
ID: 35016085
i can ping my default lan gateway. i am able to access all LAN files.

However, I cannot ping to my WAN gateway and I cannot ping to any websites.
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 35016109
Another thing, check the host file to see if it has been edited in any way - C:\windows\system32\drivers\etc\hosts - open this with notepad.

Also, check the internet connection settings - when you browser is open go to > tools > internet options > connections > lan settings > and see if your browser is go through a proxy, if so untick use proxy server.

These are symtoms that are caused by virues.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35016187
moombaz,
The two applications listed here are both safe to use on Server 2008. You can retrieve them from any clean workstation/server and save them to USB stick or CD.
(Use the "Save As" function to rename the downloaded files - BEFORE - they touch your system. Some variants of malware recognize some anti-malware files and will corrupt them if you use the regular download.)

Your first step should be to clean out all of the Temp/Junk files picked up by your browser.

Download, install, and run
CCleaner (www.ccleaner.com)

Download, install, and run
Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

When finished with MBAM, post the log that is generated and let us look at it for you.
0
 
LVL 1

Author Comment

by:moombaz
ID: 35016227
theres no suspicious processes running.

host file is not tampered.

proxy setting is not enabled because we are not running any proxy server.
0
 
LVL 12

Expert Comment

by:xmlmagician
ID: 35016348
i assume that you have checked that firewall ports for the exchange server are open?
0
 
LVL 1

Author Comment

by:moombaz
ID: 35016876
Yes.. the firewall ports are open.

I did this:

For the network configuration for the exchange server, I changed the settings to automatically detect settings.
Launch internet explorer and i can browse the internet. internet settings all as per normal.

As soon as I changed back to the static IP for my Exchange, internet cannot be used again.

What is this?
0
 
LVL 12

Expert Comment

by:xmlmagician
ID: 35017041
and your dns is working as well
0
 
LVL 12

Accepted Solution

by:
xmlmagician earned 500 total points
ID: 35017055
can you ping IP addresses directly
like 212.58.246.95 which the BBC
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 35022657
>>As soon as I changed back to the static IP for my Exchange, internet cannot be used again.

The static IP that you are using, is that Public IP address? Since on LAN you would receive IP address which would be either Class A or Class C IP address and you Internet would be working because you would be going through you Gateway/Firewall.

When you changed the IP address to Static do you change the DNS as well?
When you use DHCP, what DNS server do you get? use IPconfig command on command prompt to know this.

Sudeep
0
 
LVL 1

Author Comment

by:moombaz
ID: 35023120
My default IP configuration is

static ip: 10.10.10.2
gateway: 10.10.10.1
DNS: 10.10.10.7


10.10.10.7 is a forwarder. My whole domain is configured this way. My server is not set directly to configure to my ISP DNS server.

I changed my configuration to

static IP: 10.10.10.5 and it works. The server can now go into the internet.

What can be the problem? I've checked my firewall and the policy rule states all host are allowed to pass through to go to the internet. Changing IP address doesn't make any sense to get the server/PC to have access to the internet when anybody else can also go into the internet within the same subnet.
0
 
LVL 1

Author Comment

by:moombaz
ID: 35023137
My DNS is working very fine.
0
 
LVL 1

Author Comment

by:moombaz
ID: 35023915
Dear experts,

I've found out the cause of this. My firewall is specifically blocking my specific IP address(exchange server): 10.10.10.2 because there was an Intrusion to the system thus they're blocking that IP to route out to the internet.
thanks alot.
0
 
LVL 12

Expert Comment

by:xmlmagician
ID: 35030352
i would have thought that my comment ID:35016348 kinds of answered the question if not pointed to the right directions. If you feel that it was no help it is okay
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 35030790
@moombaz, Did you check the security  log on Symantec to see what type of virus intrusion this was? Finding this information is important as you never once mentioned that it was confirmed to be a ( fill in the ____)virus nor cleaned.

I would also suggest checking your event log for tampering and if you have not scanned with a boot watch rootkit scanner I would suggest you run a scan with MBAM. There is already a link posted by younghv.  Finding out the cause of why your receiving this block is the main reason why I am suggesting these to you. So please give use these results as we would like to see a smile on your face and not a burst blood vain.
0
 
LVL 1

Author Closing Comment

by:moombaz
ID: 35049695
It wasn't really the port mapping or port forwarding issue but indeed its the IP address that is blocked by the firewall. Blocked as in once my firewall detects that there is a virus being sent out from a host(as for now it is from my exchange server) it literally put the IP address in its banned list not allowing it to flow out to the internet.


@Russell_Venable

Symantec did not detects any virus. It was my firewall who detects it then not allowing it to pass. Heres the virus details:

File      Facebook message.zip
Checksum      N/A
Quarantine Skip      No skip
Virus      W32/Agent.3367!tr
URL      N/A
Carrier End Point      N/A
User      N/A
Group      N/A
From       postmaster@toepl.com.sg
To      update@facebookmail.com
Detection Type      Virus
0
 

Expert Comment

by:Osram34
ID: 38269695
any chance your firewall was a fortinet? im getting the exact same screen and am trying to find the source.
0
 

Expert Comment

by:jim3725
ID: 38388690
I had the same thing happen to me, I changed my ipaddress and the problem was resolved.
I do have a fortinet firewall and I coudn't find anything from firewall logs
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now