Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Blocked because of virus

Posted on 2011-03-02
20
2,958 Views
Last Modified: 2013-12-09
I am having this issue here. My server cannot go into the internet and and mails cannot send out to external email. However, external email can come into my server.

I launch internet explorer and this is what i receive (see attached). I did a full system scan using superantispyware and symantec endpoint v 11. Nothing found. Reset my IE settings but to no avail.

I cannot ping to any external site. eg Google, yahoo etc2

machine: windows server 2008 OS
Application running: Exchange 2010
IE.jpg
0
Comment
Question by:moombaz
20 Comments
 
LVL 6

Expert Comment

by:Tonypeswani
ID: 35015954
Can you able to ping the default gateway as well as able to access the internal shares?

Thank you.
0
 
LVL 1

Author Comment

by:moombaz
ID: 35016085
i can ping my default lan gateway. i am able to access all LAN files.

However, I cannot ping to my WAN gateway and I cannot ping to any websites.
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 35016109
Another thing, check the host file to see if it has been edited in any way - C:\windows\system32\drivers\etc\hosts - open this with notepad.

Also, check the internet connection settings - when you browser is open go to > tools > internet options > connections > lan settings > and see if your browser is go through a proxy, if so untick use proxy server.

These are symtoms that are caused by virues.
0
The New “Normal” in Modern Enterprise Operations

DevOps for the modern enterprise offers many benefits — increased agility, productivity, and more, but digital transformation isn’t easy, especially if you’re not addressing the right issues. Register for the webinar to dive into the “new normal” for enterprise modern ops.

 
LVL 38

Expert Comment

by:younghv
ID: 35016187
moombaz,
The two applications listed here are both safe to use on Server 2008. You can retrieve them from any clean workstation/server and save them to USB stick or CD.
(Use the "Save As" function to rename the downloaded files - BEFORE - they touch your system. Some variants of malware recognize some anti-malware files and will corrupt them if you use the regular download.)

Your first step should be to clean out all of the Temp/Junk files picked up by your browser.

Download, install, and run
CCleaner (www.ccleaner.com)

Download, install, and run
Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

When finished with MBAM, post the log that is generated and let us look at it for you.
0
 
LVL 1

Author Comment

by:moombaz
ID: 35016227
theres no suspicious processes running.

host file is not tampered.

proxy setting is not enabled because we are not running any proxy server.
0
 
LVL 12

Expert Comment

by:xmlmagician
ID: 35016348
i assume that you have checked that firewall ports for the exchange server are open?
0
 
LVL 1

Author Comment

by:moombaz
ID: 35016876
Yes.. the firewall ports are open.

I did this:

For the network configuration for the exchange server, I changed the settings to automatically detect settings.
Launch internet explorer and i can browse the internet. internet settings all as per normal.

As soon as I changed back to the static IP for my Exchange, internet cannot be used again.

What is this?
0
 
LVL 12

Expert Comment

by:xmlmagician
ID: 35017041
and your dns is working as well
0
 
LVL 12

Accepted Solution

by:
xmlmagician earned 500 total points
ID: 35017055
can you ping IP addresses directly
like 212.58.246.95 which the BBC
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 35022657
>>As soon as I changed back to the static IP for my Exchange, internet cannot be used again.

The static IP that you are using, is that Public IP address? Since on LAN you would receive IP address which would be either Class A or Class C IP address and you Internet would be working because you would be going through you Gateway/Firewall.

When you changed the IP address to Static do you change the DNS as well?
When you use DHCP, what DNS server do you get? use IPconfig command on command prompt to know this.

Sudeep
0
 
LVL 1

Author Comment

by:moombaz
ID: 35023120
My default IP configuration is

static ip: 10.10.10.2
gateway: 10.10.10.1
DNS: 10.10.10.7


10.10.10.7 is a forwarder. My whole domain is configured this way. My server is not set directly to configure to my ISP DNS server.

I changed my configuration to

static IP: 10.10.10.5 and it works. The server can now go into the internet.

What can be the problem? I've checked my firewall and the policy rule states all host are allowed to pass through to go to the internet. Changing IP address doesn't make any sense to get the server/PC to have access to the internet when anybody else can also go into the internet within the same subnet.
0
 
LVL 1

Author Comment

by:moombaz
ID: 35023137
My DNS is working very fine.
0
 
LVL 1

Author Comment

by:moombaz
ID: 35023915
Dear experts,

I've found out the cause of this. My firewall is specifically blocking my specific IP address(exchange server): 10.10.10.2 because there was an Intrusion to the system thus they're blocking that IP to route out to the internet.
thanks alot.
0
 
LVL 12

Expert Comment

by:xmlmagician
ID: 35030352
i would have thought that my comment ID:35016348 kinds of answered the question if not pointed to the right directions. If you feel that it was no help it is okay
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 35030790
@moombaz, Did you check the security  log on Symantec to see what type of virus intrusion this was? Finding this information is important as you never once mentioned that it was confirmed to be a ( fill in the ____)virus nor cleaned.

I would also suggest checking your event log for tampering and if you have not scanned with a boot watch rootkit scanner I would suggest you run a scan with MBAM. There is already a link posted by younghv.  Finding out the cause of why your receiving this block is the main reason why I am suggesting these to you. So please give use these results as we would like to see a smile on your face and not a burst blood vain.
0
 
LVL 1

Author Closing Comment

by:moombaz
ID: 35049695
It wasn't really the port mapping or port forwarding issue but indeed its the IP address that is blocked by the firewall. Blocked as in once my firewall detects that there is a virus being sent out from a host(as for now it is from my exchange server) it literally put the IP address in its banned list not allowing it to flow out to the internet.


@Russell_Venable

Symantec did not detects any virus. It was my firewall who detects it then not allowing it to pass. Heres the virus details:

File      Facebook message.zip
Checksum      N/A
Quarantine Skip      No skip
Virus      W32/Agent.3367!tr
URL      N/A
Carrier End Point      N/A
User      N/A
Group      N/A
From       postmaster@toepl.com.sg
To      update@facebookmail.com
Detection Type      Virus
0
 

Expert Comment

by:Osram34
ID: 38269695
any chance your firewall was a fortinet? im getting the exact same screen and am trying to find the source.
0
 

Expert Comment

by:jim3725
ID: 38388690
I had the same thing happen to me, I changed my ipaddress and the problem was resolved.
I do have a fortinet firewall and I coudn't find anything from firewall logs
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
Read this checklist to learn more about the 15 things you should never include in an email signature.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question