Re: repeated failure of store - securty hack?
- From: John McCombe <JohnMcCombe@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 24 Nov 2005 14:31:03 -0800
Thanks for your posts, they are helpful.
Latest update I have the same MO appearing on another server, not related to
or connected to the first one (I am the only common denominator, I visited
this new one the day after the first).
This server has been running ok for three years, it has been running ok 72
days since last rebot. I received email alerts regarding the store start
pending, this afternoon. Mail delivery had ceased. Security logs show
repeated logon logoff events, Store log files were corrupted.
lsass.exe process is taking up 35 - 50% processor activity. This is a 1
processor 2.8GHz system. (The first system is a 2X dual processor 2.8GHz and
shows no noticable change in processor activity, but for high disc activity)
I have antivirus software running at the webhost for email, and for each
workstation - not a free one. I have the MS firewall, and a hardware firewall
on the router.
I will remove the beta software, but why was it recommended on the Microsoft
security site?
Note that the situation occurred prior to the installation of the software.
Is it normal to have so many logon/logoff events and to have attempts to
change permissions? How can address this?
I am still not convinced that it is hardware - not on two different systems,
one after the other.
How can I monitor and restrict the logon activity? Note that this is not
user activity.
I understand that I may not be doing best practice, but what I need now is
a strategy to sort this out. I would appreciate more advice
John McCombe
"Susan Bradley, CPA aka Ebitz - SBS Rocks" wrote:
> You can always call Microsoft product support - Security and discuss the
> issues.
>
> Lanwench [MVP - Exchange] wrote:
> > In news:05004143-60D4-45E8-B0E4-7E2E874BDCDD@xxxxxxxxxxxxx,
> > John McCombe <JohnMcCombe@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
> >
> >>Hi
> >>
> >>I have a problem with a sbs 2003 server runnig fine since
> >>commissioning August 05. On last Monday morning 08:39 ther were 50+
> >>attempts to log in to the server from a (win98) client using the
> >>wrong password and the user was locked out.
> >
> >
> > Disable account lockout - it's a bad idea.
> >
> >
> >> I received an email
> >>warning. Then the users came in at 9:00 and advised me that noone
> >>could log in. I am remote from the server, and could not access it
> >>either.
> >>
> >>I recommended a soft re-boot, but unfortunately they could not do so,
> >>and powered off & on.
> >>
> >>At this stage, login was allowed, but email delivery was not working.
> >>I checked in the event logs and was told that stor could not stsrt as
> >>the exxx log file was corrupt
> >>
> >>Using the MS KB I restored the log files form backup and the store
> >>stsred ok - email traffic ok.
> >>
> >>This lasted about 28 hours, and the same symptoms occured - store not
> >>mounted emails received (by pop3) but not delivered.
> >>
> >>I went to visit the server - re-booted restored the log files all ok.
> >>I ran MS malicious software removel tool nothing found I ran MS
> >>antispyware tool nothing found. (it is now running in the background).
> >>
> >>I left site at 2pm will all messages tracked as delivered ok.
> >>
> >>At 2:06 the sam happened and email delivery went down
> >>
> >>I got the following events logged:
> >>
> >>
> >>Event Type: Warning
> >>Event Source: ESE
> >>Event Category: Performance
> >>Event ID: 508
> >>Date: 23/11/2005
> >>Time: 14:06:16
> >>User: N/A
> >>Computer: COULTER-MAIN
> >>Description:
> >>Information Store (3196) First Storage Group: A request to write to
> >>the file "D:\exchsrvr\mdbdata\E00tmp.log" at offset 0
> >>(0x0000000000000000) for 1048576 (0x00100000) bytes succeeded, but
> >>took an abnormally long time (244 seconds) to be serviced by the OS.
> >>This problem is likely due to faulty hardware. Please contact your
> >>hardware vendor for further assistance diagnosing the problem.
> >>
> >>For more information, click
> >>http://www.microsoft.com/contentredirect.asp.
> >>
> >>
> >>Event Type: Warning
> >>Event Source: ESENT
> >>Event Category: Performance
> >>Event ID: 508
> >>Date: 23/11/2005
> >>Time: 14:06:15
> >>User: N/A
> >>Computer: COULTER-MAIN
> >>Description:
> >>wins (1656) A request to write to the file
> >>"C:\WINDOWS\system32\wins\j50.log" at offset 389632
> >>(0x000000000005f200) for 512 (0x00000200) bytes succeeded, but took
> >>an abnormally long time (60 seconds) to be serviced by the OS. This
> >>problem is likely due to faulty hardware. Please contact your
> >>hardware vendor for further assistance diagnosing the problem.
> >>
> >>For more information, see Help and Support Center at
> >>http://go.microsoft.com/fwlink/events.asp.
> >>
> >>
> >>Event Type: Warning
> >>Event Source: ESENT
> >>Event Category: Performance
> >>Event ID: 508
> >>Date: 23/11/2005
> >>Time: 14:06:15
> >>User: N/A
> >>Computer: COULTER-MAIN
> >>Description:
> >>tcpsvcs (2064) A request to write to the file
> >>"C:\WINDOWS\System32\dhcp\j50.log" at offset 15360
> >>(0x0000000000003c00) for 512 (0x00000200) bytes succeeded, but took
> >>an abnormally long time (60 seconds) to be serviced by the OS. This
> >>problem is likely due to faulty hardware. Please contact your
> >>hardware vendor for further assistance diagnosing the problem.
> >>
> >>For more information, see Help and Support Center at
> >>http://go.microsoft.com/fwlink/events.asp.
> >>
> >>when I checked the counters it doe show dics idle time low and
> >>transfer rate low, which suggests hardware - but considering recent
> >>events (and the fact that the driv is new) I am not sure.t
> >
> >
> > Well, I'd be inclined to believe it. What's your disk setup? Hardware RAID
> > is the best. Got good backups? Take a full backup now.
> >
> >
> >
> >>Also, on checing the security logs I get repeated logon/logoff evemnt
> >>
> >
> > <snip>
> >
> >>I have successfully restored the store again;but for how long?
> >>
> >>I am thinking rootkit trojan - I have not come across one before and
> >>do not want to!
> >>
> >
> >
> >
> >>Please help, I am getting overwhelmed here!
> >
> >
> > You need good antivirus software running on your whole network. Do you have
> > a separate 'edge' firewall in place or are you using ISA?
> > Don't run beta software on your server. And spyware is unlikely to be on it
> > unless someone's using it as a workstation, which they shouldn't be. I think
> > you have hardware problems, myself.
> >
> >
> >>Many thanks
> >>
> >>John
> >
> >
> >
>
.
- Follow-Ups:
- Re: repeated failure of store - securty hack?
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Re: repeated failure of store - securty hack?
- References:
- repeated failure of store - securty hack?
- From: John McCombe
- Re: repeated failure of store - securty hack?
- From: Lanwench [MVP - Exchange]
- Re: repeated failure of store - securty hack?
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- repeated failure of store - securty hack?
- Prev by Date: Re: Using SBS2003 with a branch office server
- Next by Date: Re: Extending boot partitions
- Previous by thread: Re: repeated failure of store - securty hack?
- Next by thread: Re: repeated failure of store - securty hack?
- Index(es):
Relevant Pages
|
