I'm sorry but I agree Recently our customer server was " really " compromise. Several users were created in the AD.
We are resinstalling the server and all the stations (30 he is lucky ) Yes you can audit, run SPyWare tool, AV but once that you have been compromise, a BackDoor could have been installed. IS the customer ready to take the risk ?? My customer decided that no.... JF Jean-Francois Bourdeau MCSE(Exchange) / IBM(PSE) Netgroupes / Microsoft Partner [EMAIL PROTECTED] ISSA Montreal <http://www.issa-montreal.org> Chapter Vice President 514-884-3024 Office Netgroupes, messaging and security architects ! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eilers, Lee Sent: January 20, 2004 4:21 PM To: Exchange Discussions Subject: RE: Hijacked Server Fire in the hole!! FDISK anyone? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anthony Sollars Sent: Monday, January 19, 2004 1:45 PM To: Exchange Discussions Subject: RE: Hijacked Server And I would do it NOW NOW NOW! OMG dude, you are leaving a highly exposed security hole on your network that may be sniffing passwords and confidential data. Backup the stores and flatten that baby. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, January 19, 2004 10:15 AM To: Exchange Discussions Subject: RE: Hijacked Server Looks like it's time to build a new server! I would AUDIT YOUR FIREWALL ,then build a new box. MO Matthew Chase -----Original Message----- From: David Goldstein [mailto:[EMAIL PROTECTED] Sent: Sunday, January 18, 2004 9:14 PM To: Exchange Discussions Subject: Hijacked Server Recently my Exchange 2000 sever was compromised and was being used as an open relay server. I have made every change I have read about to patch the server and that seems to have stopped most of my problems. I was relaying up to 100,000 emails a day with hundreds of unresolved SMTP queues - most of that has gone away. But, what still remain are around 20 SMTP queues and a very strange 27 min delay for all (legal) outgoing mail. I have checked for spyware and viruses possibly left behind by the hijacker. He did have a password sniffer runner, which I have deleted. There also was a service call mr2kserv.exe which when deleted removed all of the left over SMTP queues - but only for a day or two. They are back again. So my question is this: What so you think is causing the 27 min delay? Thanks, David Goldstein _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
