Server 2008 w/Exchange Suggested steps in locating network virus
Posted on 2013-11-13
My new client (2 days) has an 2008 Standard server running Exchange and is the PDC. A Server 2003 server is more or less a computer on the domain that runs a proprietary database app. There is an Asterisk VOIP computer recieving DHCP on the same subnet as all computers on the domain. No SharePoint used.
After doing an audit of all computers on the domain, 1 computer (XP Pro SP3) had a virus in which I had to reformat and load everything. Another computer (XP Pro SP3) had a 2 viruses after the Asterisk VOIP server was installed 2 months ago. This, again, was before I began services for the company. The user that had the 2 viruses is currently being spammed to death.
Some users on the domain are not recieving email but can send.
Another user, upon boot, has regedit come up immediately. I unchecked it in msconfig.exe but still appears.
Symantec Endpoint Protection was installed on all but 3 computers when I took over.
I do not service the VOIP phones or server. I know that Asterisk is an open source application and is vulnarable to port scanning and backdoor attacks.
The 2008 server is not on the edge of the network. It has a 192.168.1.X Ip address with one NIC. It is connected to an unmanaged eswitch. The eswitch is connected to an SMC router which connects to a broadband Comcast router.
The VOIP server is connected to an ADTRAN SIP intrface. The ADTRAN is connected to an ARRIS (Comcast) router via an ethernet connection.
Another ethernet connection from the Asterisk server is connected to the unmanaged ethernet switch.
At this point, in viewing all hardware and logical software on the network, there are numerous hardware points in which viruses can be introduced to the network.
My question: "What approach should be taken in handling the mystery of where the viruses come from?"