Trying to find out if I'm hacked.

I am a new Exchange 2003 admin and I'm trying to find out if my sever has 
gotten hacked.  Here are the symptoms:
1.  I am getting odd emails from senders liked Bounced Mail and stuff, 
saying that I've been sending out massive amounts of spam
2.  My server is emailing me alerting me that store.exe is allocating more 
memory than normal.

Here is what I have done this far:
1.  Checked my server's queue to see if there are bunch of items, there are 
none.
2.  Run my virus scan program several time and found nothing.

So on the surface things seem ok, we are still sending and receiving fine, 
but it just seems odd, and I'd like to make sure I have not been compromised.

Thanks in advance for any help.
0
2/25/2005 4:41:02 PM
exchange.admin 57650 articles. 2 followers. Follow

3 Replies
370 Views

Similar Articles

[PageSpeed] 51

1.  Enable message tracking logs and smtp protocol logs.  Also, make sure 
that you have your firewall set so that the only computers that can send 
outbound on port 25 (smtp) are your Exchange server(s).  This will ensure 
that if any computer inside the network get infected with a virus, they 
won't be able to send out e-mails with a built-in smtp engine.  Message 
tracking and smtp logging will also let you track and see if you did in fact 
send the message to the recipient in question.  More than likely you didn't, 
but whoever did happened to forge your domain as the sender.

2.  How are you monitoring memory allocation, and what is deemed normal? 
How much physical memory do you have in your server and how much memory is 
store.exe taking?

-- 
Ben Winzenz
Exchange MVP


"Stephen Zachmann" <StephenZachmann@discussions.microsoft.com> wrote in 
message news:E5BA6269-E788-4C8F-BE9C-DE420CA09AC7@microsoft.com...
>I am a new Exchange 2003 admin and I'm trying to find out if my sever has
> gotten hacked.  Here are the symptoms:
> 1.  I am getting odd emails from senders liked Bounced Mail and stuff,
> saying that I've been sending out massive amounts of spam
> 2.  My server is emailing me alerting me that store.exe is allocating more
> memory than normal.
>
> Here is what I have done this far:
> 1.  Checked my server's queue to see if there are bunch of items, there 
> are
> none.
> 2.  Run my virus scan program several time and found nothing.
>
> So on the surface things seem ok, we are still sending and receiving fine,
> but it just seems odd, and I'd like to make sure I have not been 
> compromised.
>
> Thanks in advance for any help. 


0
Ben
2/25/2005 4:58:04 PM
Thanks a ton for the info, It turns out that I had the logging on.  So I ran 
through this log which is incredibly long and has all these emails sent to 
people at my organization that don't exist (simmons@mydomain.com).  Is that 
normal?  Also, upon first glance, there were extremely few from legitimate 
org members, so the vast majority seems to be a receive log although it 
doesn't do a great job breaking up what you have received from the outside to 
what you have sent from your org.  Ok, so it seems like I'm clear, what do 
you think.  Also, I'm not exactly sure how much memory it is exactly using, 
how much it has, or how I managed to get this alert, it was set up for me by 
someone else.  Sorry.

Thank you.


"Ben Winzenz [Exchange MVP]" wrote:

> 1.  Enable message tracking logs and smtp protocol logs.  Also, make sure 
> that you have your firewall set so that the only computers that can send 
> outbound on port 25 (smtp) are your Exchange server(s).  This will ensure 
> that if any computer inside the network get infected with a virus, they 
> won't be able to send out e-mails with a built-in smtp engine.  Message 
> tracking and smtp logging will also let you track and see if you did in fact 
> send the message to the recipient in question.  More than likely you didn't, 
> but whoever did happened to forge your domain as the sender.
> 
> 2.  How are you monitoring memory allocation, and what is deemed normal? 
> How much physical memory do you have in your server and how much memory is 
> store.exe taking?
> 
> -- 
> Ben Winzenz
> Exchange MVP
> 
> 
> "Stephen Zachmann" <StephenZachmann@discussions.microsoft.com> wrote in 
> message news:E5BA6269-E788-4C8F-BE9C-DE420CA09AC7@microsoft.com...
> >I am a new Exchange 2003 admin and I'm trying to find out if my sever has
> > gotten hacked.  Here are the symptoms:
> > 1.  I am getting odd emails from senders liked Bounced Mail and stuff,
> > saying that I've been sending out massive amounts of spam
> > 2.  My server is emailing me alerting me that store.exe is allocating more
> > memory than normal.
> >
> > Here is what I have done this far:
> > 1.  Checked my server's queue to see if there are bunch of items, there 
> > are
> > none.
> > 2.  Run my virus scan program several time and found nothing.
> >
> > So on the surface things seem ok, we are still sending and receiving fine,
> > but it just seems odd, and I'd like to make sure I have not been 
> > compromised.
> >
> > Thanks in advance for any help. 
> 
> 
> 
0
2/25/2005 7:49:05 PM
Regarding all of the email sent to the invalid alias read the following. 
You can setup Exchange Server 2003 to drop SMTP sessions destined to invalid 
aliases within your domain.  This will reduce the workload on your Exchange 
Server as outlined below.

If <> or postmaster is the originating email address of the outbound emails
then they are
Non Delivery Report

Exchange Server accepts aliases to valid domains at your exchange server.
Later if the alias is undeliverable then Exchange Server returns an Non
Deliver Report (NDR) to the orginator.  If a nondelivery report can't be
delivered to the sender, a copy of the original message is placed in the
"bad" mail directory. Messages placed in the bad mail directory can't be
delivered or returned. You can use the bad mail directory to track potential
abuse of your messaging system. By default, the bad mail directory is
located at root:\Exchsrvr\Mailroot\vsi#\BadMail, where root is the install
drive for Exchange Server and # is the number of the SMTP virtual server,
such as C:\Exchsrvr\Mailroot\vsi 1\BadMail. You can change the location of
the bad mail directory at any time, but you should never place the directory
on the M: drive, which is reserved for other types of Exchange Server data.

Likely at your location spammers are attempting dictionary attacks on your
domains in an attempt to get their emails delivered.  A dictionary attack
are emails addressed to a large list of common aliases.  Also to prevent the
spammer from being swamped with NDRs the originating email address is
typically spoofed or randomized.  Exchange Server attempts to deliver NDRs
to the originator of the emails with invalid aliases during the dictionary
attack.  Due to the fact that many of the originating addresses of the spam
are falsified the NDRs sit in the outbound queue (outbound with originating
address of <> or postmaster@yourdomain.com) attempting  to go to an invalid
location.  Eventually the NDRs fail the defined number of retrys and are
moved to your Badmail folder.

The following article describes how to prevent exchange 2003 server from
accepting undeliverable email and therefore would reduce the amount of items
in your badmail folder.

http://support.microsoft.com/default.aspx?scid=kb;en-us;823866

The following article disables Non Delivery Reports in Exchange 2000/2003
(NOTE
this will not prevent items from being accepted and moved to your Bad Mail
folder)

http://support.microsoft.com/default.aspx?scid=kb;en-us;294757

Geoff Pearce

"Stephen Zachmann" <StephenZachmann@discussions.microsoft.com> wrote in 
message news:77461077-DC8D-4671-B358-CE17E7CE019C@microsoft.com...
> Thanks a ton for the info, It turns out that I had the logging on.  So I 
> ran
> through this log which is incredibly long and has all these emails sent to
> people at my organization that don't exist (simmons@mydomain.com).  Is 
> that
> normal?  Also, upon first glance, there were extremely few from legitimate
> org members, so the vast majority seems to be a receive log although it
> doesn't do a great job breaking up what you have received from the outside 
> to
> what you have sent from your org.  Ok, so it seems like I'm clear, what do
> you think.  Also, I'm not exactly sure how much memory it is exactly 
> using,
> how much it has, or how I managed to get this alert, it was set up for me 
> by
> someone else.  Sorry.
>
> Thank you.
>
>
> "Ben Winzenz [Exchange MVP]" wrote:
>
>> 1.  Enable message tracking logs and smtp protocol logs.  Also, make sure
>> that you have your firewall set so that the only computers that can send
>> outbound on port 25 (smtp) are your Exchange server(s).  This will ensure
>> that if any computer inside the network get infected with a virus, they
>> won't be able to send out e-mails with a built-in smtp engine.  Message
>> tracking and smtp logging will also let you track and see if you did in 
>> fact
>> send the message to the recipient in question.  More than likely you 
>> didn't,
>> but whoever did happened to forge your domain as the sender.
>>
>> 2.  How are you monitoring memory allocation, and what is deemed normal?
>> How much physical memory do you have in your server and how much memory 
>> is
>> store.exe taking?
>>
>> -- 
>> Ben Winzenz
>> Exchange MVP
>>
>>
>> "Stephen Zachmann" <StephenZachmann@discussions.microsoft.com> wrote in
>> message news:E5BA6269-E788-4C8F-BE9C-DE420CA09AC7@microsoft.com...
>> >I am a new Exchange 2003 admin and I'm trying to find out if my sever 
>> >has
>> > gotten hacked.  Here are the symptoms:
>> > 1.  I am getting odd emails from senders liked Bounced Mail and stuff,
>> > saying that I've been sending out massive amounts of spam
>> > 2.  My server is emailing me alerting me that store.exe is allocating 
>> > more
>> > memory than normal.
>> >
>> > Here is what I have done this far:
>> > 1.  Checked my server's queue to see if there are bunch of items, there
>> > are
>> > none.
>> > 2.  Run my virus scan program several time and found nothing.
>> >
>> > So on the surface things seem ok, we are still sending and receiving 
>> > fine,
>> > but it just seems odd, and I'd like to make sure I have not been
>> > compromised.
>> >
>> > Thanks in advance for any help.
>>
>>
>> 


0
2/25/2005 11:49:20 PM
Reply:

Similar Artilces:

Can't Find, Re-subscribe or subscribe to any Excel NG's
I'm running Vista Home Premium SP2, 2 GB RAM, Firefox, Spyware Doctor (with real-time Intelliscan), MBAM, SAS and Cleaner, Office 2007. I might be posting on the wrong NG but that's because I cannot seem to subscribe anymore to any Excel NG's such as: Microsoft. public.excel.anythingatall, so I can't set up a new post. Each of these NG's related to Excel is declaring that there are "no posts available anymore". I used to be subscribed to Microsoft. public.excel.setup, Microsoft. public.excel.programming, Microsoft. public.excel.general, and a few...

Still trying
It looks liek I am almost there. The program builds with no errors. When I execute it the following happens: Before doing anything I opened the Task Manager and I see Martin1.exe CPU=0 When I send a char into the serial port the CPU=50 and nothing happens. Any char, even the 0x31 causes cpu=50 and nothing happens on the dialog. The MessageBox doesnt appear (for testing purposes ONLY). I can still click buttons on the dialog that do work so it's not hung. I know for sure I am doing something wrong. Thanks for the help so far. Below I think are the pertinent parts of my app. ==============...

I try to assign category based on subject in appointment (code included)
Below i wrote code to assign a categorie to a calendar item based on the word "vrij" in the subject. I think this code should work.. but somehow it doesnt I use Outlook 2003 with macro security set to lowest level. The code is placed in "this outlook session" Any ideas why it doesnt work ?? ==================================================== Dim WithEvents colRDVItems As Items Private Sub Application_Startup() Dim NS As Outlook.NameSpace Set NS = Application.GetNamespace("MAPI") Set colRDVItems = NS.GetDefaultFolder(olFolderCalendar).Items Set NS = Nothing E...

Outlook 2002 Advanced Find
When I use Advanced Find in Outlook 2002 to locate mail I've archived in a personal folder, I would like to be able to see the folder hierarchy where the mail item was found. Currently, I can only see the lowest level folder, using the "In Folder" column. Is there a way to get this information? ...

Find repeat and than merge and centre
Hi! How to find repeated data and then merge and centre. My data is from A to M.Range from A1 to M4500 Any Function Or Macro. Thanks Hardeep Hi, I think we need more detail - what do you want to merge and center, multiple rows, multiple columns, multiple blocks of cells? You will loose the data in all but one of the merged cells, Excel does not merge the data. What determines if a range has repeat data - does the data in two cells above each other need to be the same, does all the data on two adjacent rows need to be the same, do the rows with duplicate data need to be adjacent? -...

Find cell numbers in a table so I can multiply
Hello, I have a word document and in the documents header there is a table. This table a has diferent number of cells in each row like: Row one: 2 cells Row two: 4 cells Row three: 2 cells Row four: 10 cells Row five: 2 cells What I wanted to do is multipy 3 cells together thats in row four and show the total in the same row. I have a number in the 3rd cell that needs * by the number in the fith cell that needs * by the number in the seventh cell and totaled in the 9th cell. I know I have to select the ninth cell and select table/formula then what? -- Thanks, Chad I ...

I'm trying to set up my mail for windows vista, please help set this up for me!
blueljeans@verizon.net is my email before trying to set up my mail through windows, can you help me? Barbara Gibson NEVER post or use your real email address in a public newsgroup or forum! Contact your ISP or email provider to obtain the settings you'll need to access your name@verizon.net account via POP3 [1], then start here: http://windows.microsoft.com/en-US/windows-vista/Windows-Mail-setting-up-an-account-from-start-to-finish ============= [1] Perhaps http://help.yahoo.com/l/us/verizon/mail/yahoomail/pop/pop-08.html ? Barbara Gibson wrote: > [MUNGED]@v...

Could not cleanup worktable IAM chains to allow shrink or remove file operation. Please try again when tempdb is idle
This is a multi-part message in MIME format. ------=_NextPart_000_0006_01CB1448.E88B1160 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi all, I'm getting this message when trying to clear tempdb DBCC SHRINKDATABASE (tempdb, 10) WITH NO_INFOMSGS=20 Msg 5054, Level 16, State 1, Line 1 Could not cleanup worktable IAM chains to allow shrink or remove file = operation. Please try again when tempdb is idle. Msg 5054, Level 16, State 1, Line 1 Could not cleanup worktable IAM chains to allow shrink or remove file = op...

trying to save a publisher doc to cd,message no disc in drive
I am trying to save a publisher doc (brochure) to a CD, each time I get a message that there is no disc in the drive, D or E, when each time there has been. What am I doing wrong. I have tried saving other things, in other programs without a problem. MsJLee <MsJLee@discussions.microsoft.com> was very recently heard to utter: > I am trying to save a publisher doc (brochure) to a CD, each time I > get a message that there is no disc in the drive, D or E, when each > time there has been. What am I doing wrong. I have tried saving > other things, in other programs with...

public folder calendar returns all when using find
We have SBS2003 with exchange setup and functioning fine. All clients using Outlook 2003. We have setup a public calendar for inspections appointments which has been working fine. However one user now finds that when she uses the find feature on this calendar in outlook she is always returned all entries and not restricted to the scope of the find argument. The find feature works on all other public and personnel folders that she has. No other user has a problem. We have also tested on other pcs with her account and happens regardless of which machine is used. Have tried changing the permissi...

Finding PostingAccounts in Tables
?Hello Folks, Under Tools>Setup>Posting>Posting Accounts. where there is a list of all the accounts to post the transactions, which I am trying to find in the Tables as well. I I can spot a Table under Company SY01100 but that displays the data in a different way, Also when I copied this table from A to B ; In A it has all the account #s but in B it is all Blank. Should I be looking somewhere else? please help Regards, Hi Viol-8-r, If you are looking for the GL Master files then you are looking in the wrong place. The Master files themselves are in GL00...

why can't i find the send button and how do I configure e-mail
I seem to be able to write the e-mail but do not have a button to send. the message tells me my address is not configured? Did you create a profile for Outlook to use? http://www.howto-outlook.com/faq/newprofile.htm "LJDICKER" <LJDICKER@discussions.microsoft.com> wrote in message news:211018AE-F489-4002-864E-FAEEC141AF6F@microsoft.com... > I seem to be able to write the e-mail but do not have a button to send. the > message tells me my address is not configured? ...

Finding Outlook Express mails and transferring to WLM
I am following the instructions in WLM on how to import mails from OE6. It claims not to find any mails on the saved OE-file. ( The location is a harddisk from a previously CPU-crasched PC. All other files appear OK). Have also checked that the files are not protected, and opened up hidden files. What is wrong? Do you have the folder with all of the OE dbx files? Move the folder to your hard drive to eliminate any permissions issues. -- Ron Sommer MS MVP- Windows Live Mail "Michael" <Michael@discussions.microsoft.com> wrote in message news:FDF71428-851B-435...

How do you find and edit the dictionary in Publisher?
I want to delete words in the Publsiher dictionary. Can't find it! Can edit dictionary in Word. Isn't the Word dictionary the one used in Publisher? -- Don Vancouver, USA "chuckthe3" <chuckthe3@discussions.microsoft.com> wrote in message news:9D363986-DEE1-46B2-8443-12CD6F7EE672@microsoft.com... > I want to delete words in the Publsiher dictionary. Can't find it! Can edit > dictionary in Word. You can change your custom dictionary in your newsreader (Outlook Express), tools, options, spelling tab, edit custom dictionary. -- Mary Sauer MS MVP h...

Re: 'Server XXXX Not Available.' When Trying To Add a Process Serv
Hi Mariano, We have contacted our Partner and they say that we have to pay $2,500.00 additional to get the process server as it is not the part of Systems Manager, any more. Our product say " New Enhancement plan" and I see Systems Manager is installed but not the process server.. By BRL; you mean Business ready license? "Viol-8-r" <viol-8-r@hotmail.com> wrote in message news:... > Thanks, Mariano, > Yes, we are checking it with the Partner and sure I will update you about > the outcome. > > "Mariano Gomez" <MarianoGomez@discussions....

macro to find phone number and label with text
Hi-- Here's the situation: I have long lists of satellite phone bills that I need to track by individual phone users and I want to build a macro that seeks out a specific number (example, macro searches "882 156 445 4554" and in the column next to it, automatically spits out "Dan's phone." In one Excel file, I have a growing list of satellite phone numbers (~400 numbers) that I'm constantly adding to that I'm hoping the macro can draw from. In the other set of files, I have individual phone bills for each phone (about 18 separate excel files per month) wi...

Finding Table and Field Information in Microsoft Dynamics GP
Finding Table and Field Information in Microsoft Dynamics GP By David Musgrave To get information about tables and fields in Microsoft Dynamics GP, you can use any of the following 10 methods: 1. Open the Microsoft Dynamics GP window that contains the data you are interested in, and then select Tools -> Integrate -> Table Import to see the tables associated with the Dexterity Form. 2. Open the Microsoft Dynamics GP window that contains the data you are interested in, and then select Tools -> Customise -> Customise Current Window. Once you’re in Modifier Layout mode, look...

OWA "the system cannot find the path specified"
Hi - I looked thru Google, Google Groups and this website, I came up with a KB article that suggested that I reset a metabase setting. I did that, still not working. Here is what I've done, we moved a server from one office to another. New external (routable) IP but the internal scheme stayed the same. I'm getting this message under status of exchange, exadmin, and public in the IIS Manager: "the system cannot find the path specified" I've restarted the services and that didn't help. I'm not seeing anything in the event log that is helpful. I'm not ...

User tries to accept meeting request and gets this message:
"as the meeting organizer you do not have to respond to this meeting", which is in error - somone else is the meeting organizer. I can't find anything in the Product KB. Anyone know how to fix it? We are using Exch 2003 and Outlook client installs on XP. ...

Find first non-blank or non-zero in a column of data
I have my data in, say row A - specifically A1:A50 - and want my calculation to look from the bottom of A50 to the top of the row (A1) and return the first non-blank OR the first non-zero within that data. What is the best way to do this? E.g. A1 = 4 A2 = 3 A3 = 0 A4 = blank cell A5 = blank cell Answer would be 3 as it looks from the bottom. Many thanks, Jim Jim, If it is just numbers, use =INDEX(A:A,MATCH(9.99999999999999E307,A:A)) -- HTH Bob Phillips (remove nothere from email address if mailing direct) "DerbyJim" <DerbyJim@discussions.microsoft.com> wrote ...

Finding data files
I just installed Windows XP but my Money 2001 now doesn't show any of my data. I saved everthing on my hard drive before I installed XP, but I did not back up my Money data. Isn't there a file that contains my current information? What is the name of the file Money saves its information to? Thank You!! See http://umpmfaq.info/faqdb.php?q=109. "Dale" <dalevan@iserv.net> wrote in message news:2a57301c466e7$63e929c0$a501280a@phx.gbl... > I just installed Windows XP but my Money 2001 now doesn't > show any of my data. I saved everthing on my hard d...

Reclassify button in Advanced Find
In Microsoft CRM Web Client, multiple products can be chosen and reclassified to a common Subject. Reclassify option is seen under More Actions. But More Actions is completely missing in Advance Find. ---------------- This post is a suggestion for Microsoft, and Microsoft responds to the suggestions with the most votes. To vote for this suggestion, click the "I Agree" button in the message pane. If you do not see the button, follow this link to open the suggestion in the Microsoft Web-based Newsreader and then click "I Agree" in the message pane. http://www.microso...

"parameter values are not vaild" error message when trying to se.
I'm trying to send test emails, and I get a "could not complete operation" box with the error message, "One or more parameter values are not valid." How do I fix this? I would double check your e-mail account settings (e.g. account name, password, POP3/IMAP servername, SMTP server, e-mail address) in Microsoft Outlook to make sure they are filled out correctly. "Sarah" <Sarah@discussions.microsoft.com> wrote in message news:CF4C5632-C855-42E4-AD47-09CF15158E3D@microsoft.com... > I'm trying to send test emails, and I get a "could not c...

Problems when trying to publish
Hi Trying to make my first web-site ever. Have prepared a page in Publisher 2003, but when I try to publish on my www adr. I receive a message as follows after having filled in the www-adr as "file name" and said SAVE: -- Filtered HTML-files are smaller than regular HTML-files, and can be published to and downloaded from the internet more quickly.... To make any changes to the web-site, first edit the original .pub file in the Publisher and then publish it again using the publish to the web command on the file menu. Saying OK to this, nothing more happends, and nothing i...

Excel Forumla Help
I am sorry if this has been covered before, I did a search and didn' see anything applicable. I have a table with 5 columns and currently 10 rows, but the rows wil grow in the future. I need to find the most recent occurence of number without having to manually scan the table. The numbers are entered in a row like such: A B C D E 1 Date Entry 1 Entry 2 Entry 3 Entry 4 2 2/27/04 125 4 200 56 3 2/26/04 8 56 46 32 4 2/25/04 3 45 ...