Avatar of IT_Service
IT_ServiceFlag for Canada

asked on 

Windows 2003 SBS Server hacked

I inherited a client using Windows 2003 SBS server.

Recently, their server was compromised and I don't know how to resolve the issue.

Here are the symptoms:

1) One user is receiving thousands of System Undeliverable messages in her inbox every day, as well as from the Postmaster address saying there's a delay in sending out mail.

2) In the security event log, there are Failure attempts every few seconds that look like this:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            1/6/2013
Time:            2:36:18 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DC1-SBS
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      sheila
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      DC1-SBS
       Caller User Name:      DC1-SBS$
       Caller Domain:      DOMAIN-NAME
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      1936
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Those events appear for multiple user names.

So far I have changed the password for the users I have spoken to and disabled any unused domain accounts.

I have tried to stop the server from generating NDRs but the user's mailbox keeps filling up anyway.

How can I get this server back to a secure state?

SBSWindows Server 2003Exchange

Avatar of undefined
Last Comment
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

The NDR messages indicate that you may not have Anti-Spam software installed and I would recommend you trial Vamsoft ORF which should resolve the problem for you.


Once you have resolved that issue, see what else is wrong.

Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image

The server may be just fine.

Look at the log - it says "Unknown user name or bad password" so there was no immediate need to change passwords - the account(s) weren't compromised (apparently - if they were, then it would have been a SUCCESS audit, not a failure and you might not realize it was compromised.  Changing passwords was a good idea, just in case, but it really doesn't mean the server was compromised.

As for the NDRs - it's possible someone spammed thousands of people using her e-mail as the sender - the sender may not even be touching the server and is likely not doing anything directly with your systems.  Instead, if the email account was used as the sender, then hundreds or thousands of OTHER servers are THINKING that SHE was the one who sent the message and trying to tell her that the user account(s) don't exist.  Short of using a spam filter that can filter these NDRs, there may simply be nothing you can do and there may not be any security issues (I'm sure there are many - almost all networks have them - but the point is, you MOST LIKELY have not been hacked).

Use a good spam filter and put in place a firewall and policies that prevent unauthorized systems from attempting to access the server.
It can never hurt to change the admin password.
Avatar of IT_Service
Flag of Canada image


If I look in the Message Tracking Center, it appears as if the user with the NDR issue is actually sending all those messages. Thousands of messages come up under her name as the sender in a short period of time (to Chinese addresses).

She can receive mail ok, but she effectively cannot send any real email because they seem to be timing out. This makes sense if there are thousands of messages trying to be sent out.

Eventually she gets this message in return: Could not deliver the message in the time limit specified.

For the Default SMTP server - Properties - Delivery tab - Outbound security, it's currently set at Anonymous Access. Is this the correct setting?
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of cpmcomputers
Flag of United Kingdom of Great Britain and Northern Ireland image

Seems you need to establish where the emails are actually being generated from
Either your server, from a smarthost, from some Trojan/malware on the clientside ?
Or email spoofing ?

The Chinese addresses suggest some sort of bot on a client pc on the internal network
Not necessarily that of the affected user?

What firewall are you using
If Isa  server can you see any significant traffic on smtp port 25 (or 587) coming off any internal client pc's also check possibly for heavy traffic on port 53 Dns lookups resolving domain names
Does the exchange server resolve its own Dns for sending email directly or does it send all mail via a smart host ?
If the former are you seeing large amounts of connectors in the outbound queues?
If the latter is there significantly increased traffic since the problem began
As stated above the emails may not be coming from your systems at all - spoofing

The focus must be to track where the outbound messages are being  generated from rather than worrying about the Ndrs

 Alans blog is good advice Also as an aside event 529 login failures in sbs 2003 servers Most commonly occur from dictionary attacks on the standard RDP port 3389
Microsoft has a fixit to change this to a non-standard port  just google "change RDP listening port (is a simple registry tweak)
Adjust your firewall also
It looks like this server is running Terminal Services. I had a 2003 server with the same problem until last year when we replaced it with a 2008.  That message does not mean your server was hacked, it looks like someone is trying to login remotely and guess the password. it's very common on a server running RDP or Terminal Services.

I suggest the following:
1. Upgrade all administrative and user passwords so they are stong (at least 8 chars including upper, lower, num and one special char). For example joHn2010<S1

2. If you have a firewall, upgrade it's firmware and see if it has any security services or logging you can activate

3. If you can block out remote access by country on your firewall, activate that feature and only include the counties where your users reside.

4. Make sure your server has the latest Microsoft updates

5. Verify you are running a strong anti virus and it's updated with the latest AV definition files. we use Symantec Endpoint Protection on all servers and workstations. We have not had any virus related outbreaks in two years with 60 Pc's and five servers.

6. Limit the number of users that access the server remotely. Only authorized and trained personnel should have remote desktop accounts and/or the admin password.

Hope this helps!
Avatar of cpmcomputers
Flag of United Kingdom of Great Britain and Northern Ireland image

All good advice

Would point out Its an SBS server so cannot be used for terminal services
hence my advice to change the listening port

Still does not deal with the underlying  issue about the email
Waiting for the questioner to update
Avatar of IT_Service
Flag of Canada image


I ended up moving them to Office365 since this server is 10 years old anyway. That was a move I had planned for them anyway,  I just had to adjust my implementation schedule.

I have taken some of the steps you recommended.

Thank you everyone, for the advice. I really appreciate it.

Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo