SV650.org - SV650 & Gladius 650 Forum - View Single Post

Dave20046 · 14-04-10, 05:35 PM

Again, pushing the boundries with what I can use the .org for but I'm having a bit of a mare with exchange 2003 and it's not my forte...

Basically all emails stopped working, I thought "oh dear" ; the exchange server had been blacklisted and surprise surprise I found a good 100,000+ queued up 'post master' emails. Not a problem I thought it's just a non delivery report attack I'll remove the malware and all will be dandy. Anyhoo I double triple scanned the exchange box and it's connected machine with all anti malwares under the sun, unsurprisingly they both had a few viruses on and the client machine had a spammer on. Removed these, went back to my server and it's still generating these mails. (however I've noted it's not 'postmaster' sort emails anymore they're spoofed senders i.e paypal to random recipients). I've unplugged the client machine and so long as the exchange box has an internet connection it still tries to spam it's little heart out, so the server's the problem...however that's where I'm at a bit of a loss. It's not been set to an open relay as far as I can determine and no antimalware software can detect anything amiss on it.

However something I have noticed is that in the server security logs I had an 'anonymous login' logged from the workstation that had the spammer on (and rootkit too actually + a few viruses), some time after that; a user promoted themselves to having full control of the server, this user is an old member of staff's account and is no longer used (although was not disabled previously

), this same user has been logging in every few hours since that event for a few seconds. I've now stripped their rights disabled the account and locked down all other logins.

Just throwin it out there incase anyone's interested/inclined to help.

Many athankyous

14-04-10, 05:35 PM	#1
Dave20046 Member Mega Poster Join Date: Jul 2008 Location: Sheffield Posts: 10,274	Who likes MS exchange (2003) ? Again, pushing the boundries with what I can use the .org for but I'm having a bit of a mare with exchange 2003 and it's not my forte... Basically all emails stopped working, I thought "oh dear" ; the exchange server had been blacklisted and surprise surprise I found a good 100,000+ queued up 'post master' emails. Not a problem I thought it's just a non delivery report attack I'll remove the malware and all will be dandy. Anyhoo I double triple scanned the exchange box and it's connected machine with all anti malwares under the sun, unsurprisingly they both had a few viruses on and the client machine had a spammer on. Removed these, went back to my server and it's still generating these mails. (however I've noted it's not 'postmaster' sort emails anymore they're spoofed senders i.e paypal to random recipients). I've unplugged the client machine and so long as the exchange box has an internet connection it still tries to spam it's little heart out, so the server's the problem...however that's where I'm at a bit of a loss. It's not been set to an open relay as far as I can determine and no antimalware software can detect anything amiss on it. However something I have noticed is that in the server security logs I had an 'anonymous login' logged from the workstation that had the spammer on (and rootkit too actually + a few viruses), some time after that; a user promoted themselves to having full control of the server, this user is an old member of staff's account and is no longer used (although was not disabled previously ), this same user has been logging in every few hours since that event for a few seconds. I've now stripped their rights disabled the account and locked down all other logins. Just throwin it out there incase anyone's interested/inclined to help. Many athankyous __________________ Last edited by Dave20046; 14-04-10 at 05:37 PM.