Re: repeated failure of store - securty hack?
- From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 24 Nov 2005 10:33:17 -0500
In news:05004143-60D4-45E8-B0E4-7E2E874BDCDD@xxxxxxxxxxxxx,
John McCombe <JohnMcCombe@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
> Hi
>
> I have a problem with a sbs 2003 server runnig fine since
> commissioning August 05. On last Monday morning 08:39 ther were 50+
> attempts to log in to the server from a (win98) client using the
> wrong password and the user was locked out.
Disable account lockout - it's a bad idea.
> I received an email
> warning. Then the users came in at 9:00 and advised me that noone
> could log in. I am remote from the server, and could not access it
> either.
>
> I recommended a soft re-boot, but unfortunately they could not do so,
> and powered off & on.
>
> At this stage, login was allowed, but email delivery was not working.
> I checked in the event logs and was told that stor could not stsrt as
> the exxx log file was corrupt
>
> Using the MS KB I restored the log files form backup and the store
> stsred ok - email traffic ok.
>
> This lasted about 28 hours, and the same symptoms occured - store not
> mounted emails received (by pop3) but not delivered.
>
> I went to visit the server - re-booted restored the log files all ok.
> I ran MS malicious software removel tool nothing found I ran MS
> antispyware tool nothing found. (it is now running in the background).
>
> I left site at 2pm will all messages tracked as delivered ok.
>
> At 2:06 the sam happened and email delivery went down
>
> I got the following events logged:
>
>
> Event Type: Warning
> Event Source: ESE
> Event Category: Performance
> Event ID: 508
> Date: 23/11/2005
> Time: 14:06:16
> User: N/A
> Computer: COULTER-MAIN
> Description:
> Information Store (3196) First Storage Group: A request to write to
> the file "D:\exchsrvr\mdbdata\E00tmp.log" at offset 0
> (0x0000000000000000) for 1048576 (0x00100000) bytes succeeded, but
> took an abnormally long time (244 seconds) to be serviced by the OS.
> This problem is likely due to faulty hardware. Please contact your
> hardware vendor for further assistance diagnosing the problem.
>
> For more information, click
> http://www.microsoft.com/contentredirect.asp.
>
>
> Event Type: Warning
> Event Source: ESENT
> Event Category: Performance
> Event ID: 508
> Date: 23/11/2005
> Time: 14:06:15
> User: N/A
> Computer: COULTER-MAIN
> Description:
> wins (1656) A request to write to the file
> "C:\WINDOWS\system32\wins\j50.log" at offset 389632
> (0x000000000005f200) for 512 (0x00000200) bytes succeeded, but took
> an abnormally long time (60 seconds) to be serviced by the OS. This
> problem is likely due to faulty hardware. Please contact your
> hardware vendor for further assistance diagnosing the problem.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> Event Type: Warning
> Event Source: ESENT
> Event Category: Performance
> Event ID: 508
> Date: 23/11/2005
> Time: 14:06:15
> User: N/A
> Computer: COULTER-MAIN
> Description:
> tcpsvcs (2064) A request to write to the file
> "C:\WINDOWS\System32\dhcp\j50.log" at offset 15360
> (0x0000000000003c00) for 512 (0x00000200) bytes succeeded, but took
> an abnormally long time (60 seconds) to be serviced by the OS. This
> problem is likely due to faulty hardware. Please contact your
> hardware vendor for further assistance diagnosing the problem.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> when I checked the counters it doe show dics idle time low and
> transfer rate low, which suggests hardware - but considering recent
> events (and the fact that the driv is new) I am not sure.t
Well, I'd be inclined to believe it. What's your disk setup? Hardware RAID
is the best. Got good backups? Take a full backup now.
> Also, on checing the security logs I get repeated logon/logoff evemnt
>
<snip>
>
> I have successfully restored the store again;but for how long?
>
> I am thinking rootkit trojan - I have not come across one before and
> do not want to!
>
> Please help, I am getting overwhelmed here!
You need good antivirus software running on your whole network. Do you have
a separate 'edge' firewall in place or are you using ISA?
Don't run beta software on your server. And spyware is unlikely to be on it
unless someone's using it as a workstation, which they shouldn't be. I think
you have hardware problems, myself.
>
> Many thanks
>
> John
.
- Follow-Ups:
- Re: repeated failure of store - securty hack?
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Re: repeated failure of store - securty hack?
- References:
- repeated failure of store - securty hack?
- From: John McCombe
- repeated failure of store - securty hack?
- Prev by Date: Re: SBS 2003 & NT Server
- Next by Date: Re: SBS2003 and VPN / Terminal services
- Previous by thread: repeated failure of store - securty hack?
- Next by thread: Re: repeated failure of store - securty hack?
- Index(es):
Relevant Pages
|
