Re: Exchange can send but won't receive after Lovegate worm.
- From: "Bill Swan" <bill@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 17 May 2005 21:10:24 +0100
Hi Mark
My links are part of my signature as info for all with regards to good
resources., nothing specific to your problem...
Where do we go from here ?
Recommended advice for a compromised system is to flatten and reinstall, the
bad news is how much can you rely on your backup ?
Lets see how we go forward... You said.. ' no longer an issue ' what did you
mean by this ?
Do we know the exact variant of this worm ? If it is just the mailing worm
then possibly this is not as severe, if it is the trojan that communicates
with a hacker this is more serious.
I have no experiance with trend but know it is very good. If virus
definitions were upto date then can assume it didn;t come in through the
server / exchange via email.
Any user collecting email via a pop3 account, bypassing exchange ?
All workstations 100% uptodate with virus checkers?
Nobody is using any P2P / file sharing programs i.e Kazaa? You can confirm
100%. If 25 users or less can try this freeware program to audit all pcs
http://www.emco.is/networkinventory3/nifeatures.html This is version 3.
There is a later version but I am not used to its look at the mo...lol
Monitoring users, this site has some good programs..
http://www.effetech.com/download/
Of course you have ISA logs and email SMTP logging. This can be daunting if
you have never used before.
How many users on site? Depending on work you can do / know about sniffing
the network, then disconnect everything from the lan, even server kept on
its own. Virus scan fully every single pc. Do not reconnect to LAN till 100%
sure it is clean.
If server protected then it came through from a pc or malicious user.
Flattening and reinstall is just running the installation CD, deleting
partition, recreating and formatting and reinstalling. However, what about
the workstations ?
Soory Mark for all the info thrown at you and all the ifs and buts...Respond
to some of the questions and lets see where we go from there.
www.smallbizserver.net (2000 and 2003)
microsoft.public.backoffice.smallbiz2000 (2000 NG)
microsoft.public.windows.server.sbs (2003 NG)
http://groups.google.com/groups?hl=en&safe=off&group=microsoft.public.backoffice.smallbiz2000
http://groups.google.com/groups?hl=en&lr=lang_en&ie=UTF-8&safe=off&group=microsoft.public.windows.server.sbs
http://www.sbslinks.com/
http://www.sbsmigration.com
"Mark" <aselgat@xxxxxxxxx> wrote in message
news:1116290677.420593.220480@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> How it got in is the question. SBS2000 with all service packs. Trend
> SMB suite, all current with max protect settings (confirmed by Trend).
>
> Yes I am scared. Thinking that I need to install a dedicated Gateway
> in hopes to trap there.
>
.
- References:
- Prev by Date: Hmmmm... top 10 users are all external sites / IP addresses ?
- Next by Date: Re: How do I restore my crashed system to different hardware??
- Previous by thread: Re: Exchange can send but won't receive after Lovegate worm.
- Next by thread: Terminal services
- Index(es):
Relevant Pages
|
