Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Windows 2003 SBS Server hacked

Posted on 2013-01-06
Medium Priority
Last Modified: 2013-02-03
I inherited a client using Windows 2003 SBS server.

Recently, their server was compromised and I don't know how to resolve the issue.

Here are the symptoms:

1) One user is receiving thousands of System Undeliverable messages in her inbox every day, as well as from the Postmaster address saying there's a delay in sending out mail.

2) In the security event log, there are Failure attempts every few seconds that look like this:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            1/6/2013
Time:            2:36:18 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DC1-SBS
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      sheila
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      DC1-SBS
       Caller User Name:      DC1-SBS$
       Caller Domain:      DOMAIN-NAME
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      1936
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Those events appear for multiple user names.

So far I have changed the password for the users I have spoken to and disabled any unused domain accounts.

I have tried to stop the server from generating NDRs but the user's mailbox keeps filling up anyway.

How can I get this server back to a secure state?

Question by:IT_Service
  • 3
  • 2
  • 2
  • +3
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38749053
The NDR messages indicate that you may not have Anti-Spam software installed and I would recommend you trial Vamsoft ORF which should resolve the problem for you.


Once you have resolved that issue, see what else is wrong.

LVL 97

Expert Comment

by:Lee W, MVP
ID: 38749054
The server may be just fine.

Look at the log - it says "Unknown user name or bad password" so there was no immediate need to change passwords - the account(s) weren't compromised (apparently - if they were, then it would have been a SUCCESS audit, not a failure and you might not realize it was compromised.  Changing passwords was a good idea, just in case, but it really doesn't mean the server was compromised.

As for the NDRs - it's possible someone spammed thousands of people using her e-mail as the sender - the sender may not even be touching the server and is likely not doing anything directly with your systems.  Instead, if the email account was used as the sender, then hundreds or thousands of OTHER servers are THINKING that SHE was the one who sent the message and trying to tell her that the user account(s) don't exist.  Short of using a spam filter that can filter these NDRs, there may simply be nothing you can do and there may not be any security issues (I'm sure there are many - almost all networks have them - but the point is, you MOST LIKELY have not been hacked).

Use a good spam filter and put in place a firewall and policies that prevent unauthorized systems from attempting to access the server.
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38749055
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

LVL 27

Expert Comment

by:Jason Watkins
ID: 38749133
It can never hurt to change the admin password.

Author Comment

ID: 38749716
If I look in the Message Tracking Center, it appears as if the user with the NDR issue is actually sending all those messages. Thousands of messages come up under her name as the sender in a short period of time (to Chinese addresses).

She can receive mail ok, but she effectively cannot send any real email because they seem to be timing out. This makes sense if there are thousands of messages trying to be sent out.

Eventually she gets this message in return: Could not deliver the message in the time limit specified.

For the Default SMTP server - Properties - Delivery tab - Outbound security, it's currently set at Anonymous Access. Is this the correct setting?
LVL 76

Accepted Solution

Alan Hardisty earned 1500 total points
ID: 38750041
Okay - change her password and then restart the SMTP Service immediately afterwards.  Her account sounds like it has been compromised.

Expect to see the queues fill up with mail after this has been done, but not for ever.

Have a read of my article too please:


If you want to stop this happening again, read my blog which I posted earlier.

LVL 10

Expert Comment

ID: 38750107
Seems you need to establish where the emails are actually being generated from
Either your server, from a smarthost, from some Trojan/malware on the clientside ?
Or email spoofing ?

The Chinese addresses suggest some sort of bot on a client pc on the internal network
Not necessarily that of the affected user?

What firewall are you using
If Isa  server can you see any significant traffic on smtp port 25 (or 587) coming off any internal client pc's also check possibly for heavy traffic on port 53 Dns lookups resolving domain names
Does the exchange server resolve its own Dns for sending email directly or does it send all mail via a smart host ?
If the former are you seeing large amounts of connectors in the outbound queues?
If the latter is there significantly increased traffic since the problem began
As stated above the emails may not be coming from your systems at all - spoofing

The focus must be to track where the outbound messages are being  generated from rather than worrying about the Ndrs

 Alans blog is good advice Also as an aside event 529 login failures in sbs 2003 servers Most commonly occur from dictionary attacks on the standard RDP port 3389
Microsoft has a fixit to change this to a non-standard port  just google "change RDP listening port (is a simple registry tweak)
Adjust your firewall also
LVL 25

Expert Comment

by:Tony Giangreco
ID: 38750714
It looks like this server is running Terminal Services. I had a 2003 server with the same problem until last year when we replaced it with a 2008.  That message does not mean your server was hacked, it looks like someone is trying to login remotely and guess the password. it's very common on a server running RDP or Terminal Services.

I suggest the following:
1. Upgrade all administrative and user passwords so they are stong (at least 8 chars including upper, lower, num and one special char). For example joHn2010<S1

2. If you have a firewall, upgrade it's firmware and see if it has any security services or logging you can activate

3. If you can block out remote access by country on your firewall, activate that feature and only include the counties where your users reside.

4. Make sure your server has the latest Microsoft updates

5. Verify you are running a strong anti virus and it's updated with the latest AV definition files. we use Symantec Endpoint Protection on all servers and workstations. We have not had any virus related outbreaks in two years with 60 Pc's and five servers.

6. Limit the number of users that access the server remotely. Only authorized and trained personnel should have remote desktop accounts and/or the admin password.

Hope this helps!
LVL 10

Expert Comment

ID: 38750745
All good advice

Would point out Its an SBS server so cannot be used for terminal services
hence my advice to change the listening port

Still does not deal with the underlying  issue about the email
Waiting for the questioner to update

Author Closing Comment

ID: 38848609
I ended up moving them to Office365 since this server is 10 years old anyway. That was a move I had planned for them anyway,  I just had to adjust my implementation schedule.

I have taken some of the steps you recommended.

Thank you everyone, for the advice. I really appreciate it.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses
Course of the Month13 days, 12 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question