Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

exchange 2003 random internal e-mail addresses in outgoing queue

Posted on 2013-06-24
5
562 Views
Last Modified: 2013-06-24
Hey guys,

My client is running Exchange 2003 SBS (i just took them on). Their outgoing exchange queues are hacked with RANDOM internal e-mail addresses (xyaj38s@company.com).

I've enabled sender/recipient filtering, ensured it's not an open relay, scanned the server for viruses (did find a backdoor trojan on it, i believe it's removed). I also changed everyone's passwords... Turned off windows authentication.

The queues are still filling up. Is it possible someone's machine in the office is compromised?

Anything else I should look at?

Thanks guys.
0
Comment
Question by:tamaneri
5 Comments
 
LVL 74

Accepted Solution

by:
Glen Knight earned 167 total points
ID: 39271769
Looks like you've done most of everything else.  I'd say the next place to look is definitely the client machines.
0
 
LVL 8

Assisted Solution

by:jbvernej
jbvernej earned 167 total points
ID: 39271825
Hello,

Your messages in queues:
does they seem to be fake NDR messages (Non Delivery Report)  ?
(IE a NDR for a message that was never send ) ?
If yes, you could be under External NDR attack.

here a  procedure to cleanup:
kb886208 - Exchange queues fill with many non-delivery reports from the postmaster account in Small Business Server 2003
http://support.microsoft.com/kb/886208/en-us
0
 
LVL 52

Assisted Solution

by:Manpreet SIngh Khatra
Manpreet SIngh Khatra earned 166 total points
ID: 39271841
Restart the services or the server and check.

- Rancy
0
 
LVL 3

Author Closing Comment

by:tamaneri
ID: 39272513
Thanks for the input guys.

Turns out it was a root-kit on the server itself. I ran the following programs to remove all of the malware/viruses/rootkit

1) MBAM
2) TDSS Killer
3) Kaspersky Virus Removal Tool (just to ensure it was clean).

The virus/root-kit that TDSSKILLER found was a file called sbscrexe.exe in c:\windows\system32.

Thanks for your help in this matter. Queues look like they're going to remain clean.
0
 
LVL 3

Author Comment

by:tamaneri
ID: 39272948
Just to update you guys... It took a couple of hours, but I have some more messages in the queues. I didn't have much time to spend looking at the client machines while I was on site today. I've instructed them to turn off their computers when they leave for the day so I can determine if it's a server-related hacking issue, or a desktop virus/malware causing the problem.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Prepoluate a Global Access List in exchange 2013 1 19
Exchange 2010 DAG Replay Queue 9 26
Exchange 2013 Admin Center Issue 3 17
Creating DAG on Exchange 2016 4 17
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question