[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 457
  • Last Modified:

Windows SBS 2003 - Exchange Hijacked??

One of my clients SBS 2003 servers is what I believe to be hijacked.  At 3am this morning, event log errors began firing away and the exchange manager queue is jam packed with what looks like tons of spam messages.  The number is growing at an exponential rate and I have no idea how to stop it and stop the hijack process.  I also need some assistance in blowing away the queue.  I do not want to go one by one and delete because that would just take hours upon hours.  Any help here is greatly appreciated. eventlog.pdf malwarebytes-quickscanrtf.pdf
0
PCNNY
Asked:
PCNNY
2 Solutions
 
connectexCommented:
Three main possiblities:

1. You're running an open relay. There are many relay testers. Here's one I've used many times: http://www.mxtoolbox.com/diagnostic.aspx.

2. One or more of your user's password have been compromised. Many systems are configured to allow for relaying if the user authenicate prior to sending via SMTP. So have all users change their passwords. The easy way it to use the SBS password policy wizard. It marks non-admin passwords so they will need to be changed upon the next logon. Also double check you guest account isn't enabled. It's an easy target for this type of attack.

3. One of more of your systems has been infected and is generating the SPAM. Run anti-virus / anti-malware scans on all systems.


Note I've listed these in the order I recommend you check them. Once you're not getting more new SPAM messages in the queue you can then clean the queues of the "garbage". Also note your mail server may get blacklisted due to the SPAM so watch for it too. This is a good site for blacklist checking: http://www.mxtoolbox.com/blacklists.aspx. There are several checkers out there. Just search "blacklist check" via any search engine.

-Matt-

0
 
rpartingtonCommented:
As an addition to the above I would turn off port 25 on your firewall instantly.
And disable any exchange connectors.
Ive cleaned up numerous clients who have being hit by an NDR attack.
You may well NOT be an NDR victim and as such you should follow the above advise.
However with ref to cleaning up your queues which can be a very very very labourious mundane task use the following tool which will quickly clean your queue for you.
BUT YOU MUST MAKE SURE PORT 25 IS CLOSED 1ST AND YOUR SMTP CONNECTOR ADDRESS IS SET TO SOME FICTIOUS ADDRESS ie [99.99.99.99] SO IT CANT SEND. THEN RUN

ftp://ftp.microsoft.com/pss/Tools/Exchange%20Support%20Tools/Aqadmcli/

It quickly runs through deleting all the spam email in your queue saving you doing it manually.
When it finishes just use the up arrow on the k/board to paste the command back in and keep running it numerous times until it cannot find any more spam to delete.

http://exchange.sembee.info/2003/smtp/spam-cleanup.asp
0
 
I QasmiCommented:
1) First stop the SMTP service.

2) Open the Properties of the Default SMTP Virtual server

3) Go to Messages and find the Queue directory path for example :
C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue

4) Open My Computer and go to C:\Program Files\Exchsrvr\Mailroot and rename the vsi 1 folder
(Make sure that the smtp service is stopped)

5) Open Default SMTP Virtual Server  Properties >General >Advanced
Click Edit an enable Apply Intelligent Message Filter and Press OK

6) Go to Global settings > Message Delivery Properties >Sender Filtering
adjust the settings over there and add the suspected mail id through which mails are received
Also Recepient Filtering According to your needs

7) Restart the SMTP service will create a new C:\Program Files\Exchsrvr\Mailroot\vsi 1 folder
Now Check the queues for mails stucked
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now