I could cry

I could cry

Post by George Heste » Thu, 01 Aug 2002 15:03:05



My Exchange 2000 was working perfectly.  It still is working but not perfectly.
I caught something.  Something *.  Off a Website I'm pretty sure.   Here's
what happen.

I watched my disk space going zoom right to 0 free space.  It clicked and
clunked and like a dive bomd zoomed right down to nothing free space and of
course the machine began to crawl.  I had to get out of Windows 2000 SP2 as
patched as patched can be.  I noticed my Real Server was at 80% so I thought
that was it.  Disabled it at boot and no that wasn't it.

What was happening is that Bad Mail was filling up and my log was increaing
exponentially.  I checked the W32SVC logs but no successful NIMDA in there.
Also the files it puts in the server were not there.

But the culprit was my SMTP server.  Of course something has waylaid it.  I have
to Disable it for now.  Anyone have any ideas what kind of * this could be
and maybe have a suggestion where it might reside so that I can get this machine
back.  Worked perfectly yesterday today dog crap.

Thanks.

--
George Hester
_________________________________

 
 
 

I could cry

Post by Lanwenc » Thu, 01 Aug 2002 20:47:55


Run an antivirus scan on it (excluding your Exchange directories and the M
drive)
Check your app logs.
What do you mean something waylaid your SMTP server? Do you have SP2
installed with the SMTP repair tool?


Quote:> My Exchange 2000 was working perfectly.  It still is working but not
perfectly.
> I caught something.  Something *.  Off a Website I'm pretty sure.
Here's
> what happen.

> I watched my disk space going zoom right to 0 free space.  It clicked and
> clunked and like a dive bomd zoomed right down to nothing free space and
of
> course the machine began to crawl.  I had to get out of Windows 2000 SP2
as
> patched as patched can be.  I noticed my Real Server was at 80% so I
thought
> that was it.  Disabled it at boot and no that wasn't it.

> What was happening is that Bad Mail was filling up and my log was
increaing
> exponentially.  I checked the W32SVC logs but no successful NIMDA in
there.
> Also the files it puts in the server were not there.

> But the culprit was my SMTP server.  Of course something has waylaid it.
I have
> to Disable it for now.  Anyone have any ideas what kind of * this
could be
> and maybe have a suggestion where it might reside so that I can get this
machine
> back.  Worked perfectly yesterday today dog crap.

> Thanks.

> --
> George Hester
> _________________________________


 
 
 

I could cry

Post by George Heste » Fri, 02 Aug 2002 00:05:35


Thanks.  AV is finding nothing.  Going to do more in the M drive.  Waylaid like
has taken it over.  If my SMTP server starts at boot the log will increase
without bound and bad email is being sent to every Tom* and Harry on the
Planet.  This is a new type of infection.  I have never heard nor seen anything
like this.  Furthermore it has removed my Domain Group policy Object.  That
snapin no longer works.  Local Policy still works but I can no longer adjust the
Domain Security Policy.

OK folks I probably will have to reinstall this server.  I don't think this type
of infection has made any news yet.  But I believe it will.

--
George Hester
_________________________________


> Run an antivirus scan on it (excluding your Exchange directories and the M
> drive)
> Check your app logs.
> What do you mean something waylaid your SMTP server? Do you have SP2
> installed with the SMTP repair tool?



> > My Exchange 2000 was working perfectly.  It still is working but not
> perfectly.
> > I caught something.  Something *.  Off a Website I'm pretty sure.
> Here's
> > what happen.

> > I watched my disk space going zoom right to 0 free space.  It clicked and
> > clunked and like a dive bomd zoomed right down to nothing free space and
> of
> > course the machine began to crawl.  I had to get out of Windows 2000 SP2
> as
> > patched as patched can be.  I noticed my Real Server was at 80% so I
> thought
> > that was it.  Disabled it at boot and no that wasn't it.

> > What was happening is that Bad Mail was filling up and my log was
> increaing
> > exponentially.  I checked the W32SVC logs but no successful NIMDA in
> there.
> > Also the files it puts in the server were not there.

> > But the culprit was my SMTP server.  Of course something has waylaid it.
> I have
> > to Disable it for now.  Anyone have any ideas what kind of * this
> could be
> > and maybe have a suggestion where it might reside so that I can get this
> machine
> > back.  Worked perfectly yesterday today dog crap.

> > Thanks.

> > --
> > George Hester
> > _________________________________

 
 
 

I could cry

Post by Rob Gome » Fri, 02 Aug 2002 01:11:50


Consider installing Trend Micro's ScanMail for Exchange,
and run OfficeScan as well.  Have them update the pattern
files on the hour.

No more viruses in your email, and the odds of the server
itself running some malicious code is minimized.

Additionally, the eManager plug in for ScanMail works
great in filtering out spam.

Trend just makes pretty useful products for 2K to take
care of this *(although eManager takes a lot of fine
tuning).

Quote:>-----Original Message-----
>Run an antivirus scan on it (excluding your Exchange

directories and the M
>drive)
>Check your app logs.
>What do you mean something waylaid your SMTP server? Do
you have SP2
>installed with the SMTP repair tool?



>> My Exchange 2000 was working perfectly.  It still is
working but not
>perfectly.
>> I caught something.  Something *.  Off a Website
I'm pretty sure.
>Here's
>> what happen.

>> I watched my disk space going zoom right to 0 free

space.  It clicked and
Quote:>> clunked and like a dive bomd zoomed right down to

nothing free space and

- Show quoted text -

Quote:>of
>> course the machine began to crawl.  I had to get out of
Windows 2000 SP2
>as
>> patched as patched can be.  I noticed my Real Server
was at 80% so I
>tho

 
 
 

I could cry

Post by George Heste » Fri, 02 Aug 2002 02:02:29


Thanks Rob I think I'll do that.  The Virus scanners I am using and the trojan
scanner I have used are not really finding anything.  But the trojan sanner gave
me the ability to watch what is being called at boot and stopped any suspicious
activity.

What happened after I did this is this in Bad Mail.  Only three instead of
millions:

X-Sender: Enter your email here

From: <Enter your email here>

Subject: Enter a subject here
Date: Wed, 31 Jul 2002 01:23:37 -0400
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300

Thanks for all the neat files.

This is not what they were like before.  Before the email addresses were like

But I think I found the culprit and would like some feedback if you think this
may be a contribution to the problem:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed

"IsInstalled"=dword:00000001
"Locale"="EN"
"ComponentID"="MailNews"
"CloneUser"=dword:00000001
"StubPath"=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,\
  69,00,6c,00,65,00,73,00,25,00,5c,00,4f,00,75,00,74,00,6c,00,6f,00,6f,00,6b,\
  00,20,00,45,00,78,00,70,00,72,00,65,00,73,00,73,00,5c,00,73,00,65,00,74,00,\
  75,00,70,00,35,00,30,00,2e,00,65,00,78,00,65,00,22,00,20,00,2f,00,41,00,50,\
  00,50,00,3a,00,4f,00,45,00,20,00,2f,00,43,00,41,00,4c,00,4c,00,45,00,52,00,\
  3a,00,57,00,49,00,4e,00,4e,00,54,00,20,00,2f,00,75,00,73,00,65,00,72,00,20,\
  00,2f,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,00,00
"Version"="5,50,4807,1700"

and this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed

"IsInstalled"=dword:00000001
"Locale"="EN"
"ComponentID"="WAB"
"StubPath"=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,\
  69,00,6c,00,65,00,73,00,25,00,5c,00,4f,00,75,00,74,00,6c,00,6f,00,6f,00,6b,\
  00,20,00,45,00,78,00,70,00,72,00,65,00,73,00,73,00,5c,00,73,00,65,00,74,00,\
  75,00,70,00,35,00,30,00,2e,00,65,00,78,00,65,00,22,00,20,00,2f,00,41,00,50,\
  00,50,00,3a,00,57,00,41,00,42,00,20,00,2f,00,43,00,41,00,4c,00,4c,00,45,00,\
  52,00,3a,00,57,00,49,00,4e,00,4e,00,54,00,20,00,2f,00,75,00,73,00,65,00,72,\
  00,20,00,2f,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,00,00
"Version"="5,50,4807,1700"

Does this key look Normal to fire at boot?

--
George Hester
_________________________________

> Consider installing Trend Micro's ScanMail for Exchange,
> and run OfficeScan as well.  Have them update the pattern
> files on the hour.

> No more viruses in your email, and the odds of the server
> itself running some malicious code is minimized.

> Additionally, the eManager plug in for ScanMail works
> great in filtering out spam.

> Trend just makes pretty useful products for 2K to take
> care of this *(although eManager takes a lot of fine
> tuning).

> >-----Original Message-----
> >Run an antivirus scan on it (excluding your Exchange
> directories and the M
> >drive)
> >Check your app logs.
> >What do you mean something waylaid your SMTP server? Do
> you have SP2
> >installed with the SMTP repair tool?



> >> My Exchange 2000 was working perfectly.  It still is
> working but not
> >perfectly.
> >> I caught something.  Something *.  Off a Website
> I'm pretty sure.
> >Here's
> >> what happen.

> >> I watched my disk space going zoom right to 0 free
> space.  It clicked and
> >> clunked and like a dive bomd zoomed right down to
> nothing free space and
> >of
> >> course the machine began to crawl.  I had to get out of
> Windows 2000 SP2
> >as
> >> patched as patched can be.  I noticed my Real Server
> was at 80% so I
> >tho

 
 
 

I could cry

Post by John Eddy [MS » Fri, 02 Aug 2002 02:49:49



says...

> Thanks Rob I think I'll do that.  The Virus scanners I am using and the trojan
> scanner I have used are not really finding anything.  But the trojan sanner gave
> me the ability to watch what is being called at boot and stopped any suspicious
> activity.

> What happened after I did this is this in Bad Mail.  Only three instead of
> millions:

> X-Sender: Enter your email here

> From: <Enter your email here>

> Subject: Enter a subject here
> Date: Wed, 31 Jul 2002 01:23:37 -0400
> X-Priority: 3
> X-MSMail-Priority: Normal
> Importance: Normal
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300

> Thanks for all the neat files.

> This is not what they were like before.  Before the email addresses were like

> But I think I found the culprit and would like some feedback if you think this
> may be a contribution to the problem:

> Windows Registry Editor Version 5.00

> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
> Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]

> "IsInstalled"=dword:00000001
> "Locale"="EN"
> "ComponentID"="MailNews"
> "CloneUser"=dword:00000001
> "StubPath"=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,\
>   69,00,6c,00,65,00,73,00,25,00,5c,00,4f,00,75,00,74,00,6c,00,6f,00,6f,00,6b,\
>   00,20,00,45,00,78,00,70,00,72,00,65,00,73,00,73,00,5c,00,73,00,65,00,74,00,\
>   75,00,70,00,35,00,30,00,2e,00,65,00,78,00,65,00,22,00,20,00,2f,00,41,00,50,\
>   00,50,00,3a,00,4f,00,45,00,20,00,2f,00,43,00,41,00,4c,00,4c,00,45,00,52,00,\
>   3a,00,57,00,49,00,4e,00,4e,00,54,00,20,00,2f,00,75,00,73,00,65,00,72,00,20,\
>   00,2f,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,00,00
> "Version"="5,50,4807,1700"

> and this:

> Windows Registry Editor Version 5.00

George,

Did you try doing a network trace to see if someone was trying to use
your server as a relay?  You should be able to see inbound connection
attempts as well while the VS isn't running.  The version of Network
Monitor that comes with Windows 2000 Server should be good enough to
test this out (as long as you install it on the server.)

Or try setting the SMTP Virtual Server to only listen on an internal IP
address.  Also, make sure the clients are running up-to-date AV and
Virus definitions.

John Eddy
Exchange Communities PM
--
Note: This posting is provided "AS IS" with no warranties, and confers
no rights.

 
 
 

I could cry

Post by George Heste » Fri, 02 Aug 2002 04:15:31


Hi John:

   Boy I sure hope that is all it was.  Actually if it is then that may be
explain where all these addresses were coming from.  I believed that they were
being generated by something in my machine but I just couldn't find any obvious
villins.  But the call to OEX at boot which also included a call to WAB seemed
the most likely culprit.

Also it may be interesting this.  Turns out I had a program installed called
RedV EasyInstall.  Now I know I don't need no *to help me to install
something.  But something did.  I removed that from Add/Remove (I really don't
trust the uninstall; I'll look more into it later) and removed the reg entries I
previously listed.  Did a Restore of my IIS and tried Last Known Good
Configuration (This one resulted in a Windows Message at boot, "Windows 2000
could not be started as configured.  A previous working configuration was used
instead").   Now I really don't know what that meant as the machine booted fine
with the villin active.

Anyway I have nipped it.  From what you say John I'm hoping that there really
isn't anything * in here that I have done all I can do.

This started at a Web site I visited.  I noticed my free space dropped 200MB
while there.  I assumed it was due to Tempoary Internet Files.  So I deleted
them through the IE properties interface.  But the space did not come back.
The machine was basically unusable at this point.  So I used a different
operating system to look at the structure and contents of the file system.  And
there it was.  A SMTP log that was 130 MB and zillions of BAD eml's in the Bad
Mail folder.  The IE logs showed nothing amiss.

No trojan scanner or AV that I tried was successful getting this to stop.  They
all said I was hunky dory.  And I tried Norton, Network Associates, and Bulldog.
Tried Trojan Remover too.  They were all saying, "You're a happy camper."  Well
I wasn't.  It was the Trojan Remover that gave me the tool I needed.  Although
it found nothing amiss it gave me the ability to scan the registry for every
single call to HKLM\Services that was occurring durning boot.  And running down
through that I saw the calls to OEX and so got at this thing that way.

Fixed for now back to Production.  After I get some of these safeguards ya'll
have mentioned.

Finally I do have the full version of the Network Monitor.  I should get better
with that huh?

Thank you.

--
George Hester
_________________________________



> says...
> > Thanks Rob I think I'll do that.  The Virus scanners I am using and the
trojan
> > scanner I have used are not really finding anything.  But the trojan sanner
gave
> > me the ability to watch what is being called at boot and stopped any
suspicious
> > activity.

> > What happened after I did this is this in Bad Mail.  Only three instead of
> > millions:

> > X-Sender: Enter your email here

> > From: <Enter your email here>

> > Subject: Enter a subject here
> > Date: Wed, 31 Jul 2002 01:23:37 -0400
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > Importance: Normal
> > X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300

> > Thanks for all the neat files.

> > This is not what they were like before.  Before the email addresses were
like

> > But I think I found the culprit and would like some feedback if you think
this
> > may be a contribution to the problem:

> > Windows Registry Editor Version 5.00

> > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
> > Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]

> > "IsInstalled"=dword:00000001
> > "Locale"="EN"
> > "ComponentID"="MailNews"
> > "CloneUser"=dword:00000001

"StubPath"=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,\
69,00,6c,00,65,00,73,00,25,00,5c,00,4f,00,75,00,74,00,6c,00,6f,00,6f,00,6b,\
00,20,00,45,00,78,00,70,00,72,00,65,00,73,00,73,00,5c,00,73,00,65,00,74,00,\
75,00,70,00,35,00,30,00,2e,00,65,00,78,00,65,00,22,00,20,00,2f,00,41,00,50,\
00,50,00,3a,00,4f,00,45,00,20,00,2f,00,43,00,41,00,4c,00,4c,00,45,00,52,00,\
3a,00,57,00,49,00,4e,00,4e,00,54,00,20,00,2f,00,75,00,73,00,65,00,72,00,20,\

- Show quoted text -

Quote:> >   00,2f,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,00,00
> > "Version"="5,50,4807,1700"

> > and this:

> > Windows Registry Editor Version 5.00

> George,

> Did you try doing a network trace to see if someone was trying to use
> your server as a relay?  You should be able to see inbound connection
> attempts as well while the VS isn't running.  The version of Network
> Monitor that comes with Windows 2000 Server should be good enough to
> test this out (as long as you install it on the server.)

> Or try setting the SMTP Virtual Server to only listen on an internal IP
> address.  Also, make sure the clients are running up-to-date AV and
> Virus definitions.

> John Eddy
> Exchange Communities PM
> --
> Note: This posting is provided "AS IS" with no warranties, and confers
> no rights.

 
 
 

I could cry

Post by John Eddy [MS » Fri, 02 Aug 2002 08:52:34



says...

Quote:> No trojan scanner or AV that I tried was successful getting this to stop.  They
> all said I was hunky dory.  And I tried Norton, Network Associates, and Bulldog.
> Tried Trojan Remover too.  They were all saying, "You're a happy camper."  Well
> I wasn't.  It was the Trojan Remover that gave me the tool I needed.  Although
> it found nothing amiss it gave me the ability to scan the registry for every
> single call to HKLM\Services that was occurring durning boot.  And running down
> through that I saw the calls to OEX and so got at this thing that way.

> Fixed for now back to Production.  After I get some of these safeguards ya'll
> have mentioned.

> Finally I do have the full version of the Network Monitor.  I should get better
> with that huh?

Well, strictly speaking, I'd be more concerned with virii on the client
then I would on the server usually, especially if a virus check on the
server showed clean.

As for netmon, yes.  Network sniffers can be invaluable tools,
especially with plain text conversations like SMTP.

John Eddy
Exchange Community PM
--
Note: This posting is provided "AS IS" with no warranties, and confers
no rights.

 
 
 

I could cry

Post by Niko » Sun, 04 Aug 2002 10:09:41


Hi,

the symptoms you described is looks if your exchange server is not prevented
for relaying, and that someone
has attacked you for spam e-mail



Quote:> My Exchange 2000 was working perfectly.  It still is working but not
perfectly.
> I caught something.  Something *.  Off a Website I'm pretty sure.
Here's
> what happen.

> I watched my disk space going zoom right to 0 free space.  It clicked and
> clunked and like a dive bomd zoomed right down to nothing free space and
of
> course the machine began to crawl.  I had to get out of Windows 2000 SP2
as
> patched as patched can be.  I noticed my Real Server was at 80% so I
thought
> that was it.  Disabled it at boot and no that wasn't it.

> What was happening is that Bad Mail was filling up and my log was
increaing
> exponentially.  I checked the W32SVC logs but no successful NIMDA in
there.
> Also the files it puts in the server were not there.

> But the culprit was my SMTP server.  Of course something has waylaid it.
I have
> to Disable it for now.  Anyone have any ideas what kind of * this
could be
> and maybe have a suggestion where it might reside so that I can get this
machine
> back.  Worked perfectly yesterday today dog crap.

> Thanks.

> --
> George Hester
> _________________________________

 
 
 

I could cry

Post by George Heste » Mon, 05 Aug 2002 14:09:02


Yes.  I believe that is what happened. I turned that off.  Been available for
relay for 6 months.  I thought it would have happened before now.

--
George Hester
_________________________________

> Hi,

> the symptoms you described is looks if your exchange server is not prevented
> for relaying, and that someone
> has attacked you for spam e-mail



> > My Exchange 2000 was working perfectly.  It still is working but not
> perfectly.
> > I caught something.  Something *.  Off a Website I'm pretty sure.
> Here's
> > what happen.

> > I watched my disk space going zoom right to 0 free space.  It clicked and
> > clunked and like a dive bomd zoomed right down to nothing free space and
> of
> > course the machine began to crawl.  I had to get out of Windows 2000 SP2
> as
> > patched as patched can be.  I noticed my Real Server was at 80% so I
> thought
> > that was it.  Disabled it at boot and no that wasn't it.

> > What was happening is that Bad Mail was filling up and my log was
> increaing
> > exponentially.  I checked the W32SVC logs but no successful NIMDA in
> there.
> > Also the files it puts in the server were not there.

> > But the culprit was my SMTP server.  Of course something has waylaid it.
> I have
> > to Disable it for now.  Anyone have any ideas what kind of * this
> could be
> > and maybe have a suggestion where it might reside so that I can get this
> machine
> > back.  Worked perfectly yesterday today dog crap.

> > Thanks.

> > --
> > George Hester
> > _________________________________

 
 
 

1. Cry for help,need dir.edb from SBS 4.5

Hello I'm in need of a favor,

A client has lost it's dir.edb file (god only knows how it disappeared) and
has no backups, the emergency recovery procedure involves using a dir.edb
file from an installed version of Exchange, or maybe the dir.edb file from
the installation CD's. Now to top it all the client has lost it's CD's,
they were probably stolen as the box & books & CALs are still there.
Requesting a copy of the CD's from microsoft can take weeks to arrive so
I'm begging anyone who has that file (new from the CD's or an installed
version in your exchsrvr\dsadata directory) please mail it to

So far I've gotten nowhere with the recovery. For the past 2 days they've
been calling me every 5 minutes to ask when it will be fixed, making me
nuts :-s

So anyone that has SBS 4.5, I'm begging you check you exchsrvr\dsadata
directory for me, please.

Another question for a possible solution. We have the installation set for
SBS 2000 here, is it possible that by upgrading the new exchange will pick
up the priv & pub.edb files and generate a new dir.edb file?

Thanks for reading my story... I hope you can help me :-s

--
Kind regards,

Jo Voordeckers
Imagine-IT.BE

2. Client takes a long time to logon MS Exchange server

3. Cry for help ...

4. No dial button in Global Address List

5. Cry for help...

6. Create User in Exchange... CDO? ADSI?

7. Cry for help ...

8. Admin.exe application error after configuring over about 20 ip-addresses

9. Cry for help...

10. Cry for help,need dir.edb from SBS 4.5

11. Restore from Offline Backup: A Cry for Help!

12. Cry for help,need dir.edb from SBS 4.5