Re: repeated failure of store - securty hack?

You can always call Microsoft product support - Security and discuss the issues.

Lanwench [MVP - Exchange] wrote: 
In news:05004143-60D4-45E8-B0E4-7E2E874BDCDD@xxxxxxxxxxxxx,
John McCombe <JohnMcCombe@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:

Hi

I have a problem with a sbs 2003 server runnig fine since
commissioning August 05. On last Monday morning 08:39 ther were 50+
attempts to log in to the server from a (win98) client using the
wrong password and the user was locked out.



Disable account lockout - it's a bad idea.


I received an email
warning. Then the users came in at 9:00 and advised me that noone
could log in. I am remote from the server, and could not access it
either.

I recommended a soft re-boot, but unfortunately they could not do so,
and powered off & on.

At this stage, login was allowed, but email delivery was not working.
I checked in the event logs and was told that stor could not stsrt as
the exxx log file was corrupt

Using the MS KB I restored the log files form backup and the store
stsred ok - email traffic ok.

This lasted about 28 hours, and the same symptoms occured - store not
mounted emails received (by pop3) but not delivered.

I went to visit the server - re-booted restored the log files all ok.
I ran MS malicious software removel tool nothing found I ran MS
antispyware tool nothing found. (it is now running in the background).

I left site at 2pm will all messages tracked as delivered ok.

At 2:06 the sam happened and email delivery went down

I got the following events logged:


Event Type: Warning
Event Source: ESE
Event Category: Performance
Event ID: 508
Date: 23/11/2005
Time: 14:06:16
User: N/A
Computer: COULTER-MAIN
Description:
Information Store (3196) First Storage Group: A request to write to
the file "D:\exchsrvr\mdbdata\E00tmp.log" at offset 0
(0x0000000000000000) for 1048576 (0x00100000) bytes succeeded, but
took an abnormally long time (244 seconds) to be serviced by the OS.
This problem is likely due to faulty hardware. Please contact your
hardware vendor for further assistance diagnosing the problem.

For more information, click
http://www.microsoft.com/contentredirect.asp.


Event Type: Warning
Event Source: ESENT
Event Category: Performance
Event ID: 508
Date: 23/11/2005
Time: 14:06:15
User: N/A
Computer: COULTER-MAIN
Description:
wins (1656) A request to write to the file
"C:\WINDOWS\system32\wins\j50.log" at offset 389632
(0x000000000005f200) for 512 (0x00000200) bytes succeeded, but took
an abnormally long time (60 seconds) to be serviced by the OS. This
problem is likely due to faulty hardware. Please contact your
hardware vendor for further assistance diagnosing the problem.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Warning
Event Source: ESENT
Event Category: Performance
Event ID: 508
Date: 23/11/2005
Time: 14:06:15
User: N/A
Computer: COULTER-MAIN
Description:
tcpsvcs (2064) A request to write to the file
"C:\WINDOWS\System32\dhcp\j50.log" at offset 15360
(0x0000000000003c00) for 512 (0x00000200) bytes succeeded, but took
an abnormally long time (60 seconds) to be serviced by the OS. This
problem is likely due to faulty hardware. Please contact your
hardware vendor for further assistance diagnosing the problem.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

when I checked the counters it doe show dics idle time low and
transfer rate low, which suggests hardware - but considering recent
events (and the fact that the driv is new) I am not sure.t


Well, I'd be inclined to believe it. What's your disk setup? Hardware RAID is the best. Got good backups? Take a full backup now.



Also, on checing the security logs I get repeated logon/logoff evemnt


<snip>

I have successfully restored the store again;but for how long?

I am thinking rootkit trojan - I have not come across one before and
do not want to!




Please help, I am getting overwhelmed here!


You need good antivirus software running on your whole network. Do you have a separate 'edge' firewall in place or are you using ISA?
Don't run beta software on your server. And spyware is unlikely to be on it unless someone's using it as a workstation, which they shouldn't be. I think you have hardware problems, myself.


Many thanks

John 



.

Relevant Pages

  • Re: openSUSE as small bussiness server
    ... hardware support for current systems. ... decade and they have hardware support. ... The other 8.2 server is old-ish Dell ca 2001. ... Most of my customers are small to medium size. ...
    (alt.os.linux.suse)
  • Re: Openserver 5.07 and a medical practice
    ... hardware failure creates a crisis, as I figure most hardware is good ...  The OS on our server is OS 5.07. ... support for their product given Sco's ... an arbitrary virtualization server. ...
    (comp.unix.sco.misc)
  • Re: 2008 SBS no longer boots
    ... driver issue initially, the fact that it seems to happen randomly now ... weird with a hardware problem that consistently doesn't get through boot ... other customer, even a 2 week old one, the problem immediately returned. ... There was a time when a server was fired up with a specialized OS and had a battery of tests run against each component to purposefully stress it. ...
    (microsoft.public.windows.server.sbs)
  • Re: Migration from Windows Server 2000
    ... the potential losses in support and just plain 'stuffin ... to near 'as-is' condition and now having a copy in virtual hardware. ... finding 'OHHH, and now _this_ is referring to the old server, how do we fix ... The SBS2k3 install can be stopped after just the OS stage and enter ...
    (microsoft.public.windows.server.sbs)
  • Re: End of "Free" Solaris binary licence program - now its free.
    ... I tend to agree that no company can fully continue to support legacy ... but Sun hardware is very well supported by ... faster than hardware has come along to accomodate the changing resource ... than a small mail or web or FTP server. ...
    (comp.unix.solaris)