Re: Exchange won't start, problems with the event viewer

From: "Ambroise Nève" <noreply@xxxxxxxxxxxxxxxx>
Date: Wed, 30 Aug 2006 09:43:47 +0200

Hi Susan, and thank you for your answer.

Port 21 was open and MS FTP server was running (for suppliers). This was
working fine too. The trojan was running an FTP server (SERV-U) on the same
port which allowed us to find it out!

I'm (almost) sure it's clean because all processes used before are now
deleted and all "fake services" it created have been disabled. By the way,
nothing is harming anymore (FTP is running, bandwidth is normal, no wierd
processes running etc.) I've also run a complete scan with the installed AV
(F-Secure).

Exchange depends on the Event Log, that is true. It seems to have some wierd
behaviors. That could be the clue indeed. Is there anyway to reinstall or
repair the Event Viewer?

What about the disabled dependencies? Would you have a clue for this?

Thanks again,

Ambroise

"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
wrote in message news:ezaH4n8yGHA.4796@xxxxxxxxxxxxxxxxxxxxxxx

Port 21 isn't open unless you choose to open it up. What kind of firewall
do you have?

Look for those event codes and filter on those... also are you sure you
can trust this server anymore?

What have you done to truly assure yourself that it has been cleaned
completely from the impact of this?

The Exchange depends on the Event log and if it is horked up .... that
could be a reason as well.

First let's step back a bit to ensure that this box has been cleaned.. as
once it's been hacked..truly the only way to clean it up is via flattening
and reinstalling to get it back to a trusted condition.

Ambroise Nève wrote:

Hi Everybody,

New problem of the day :-)

One of my customers server was hacked (I presume because we forgot to
setup SP4 for SQL Server -- the port was open to the outside world for
business purposes!). Anyways, the threat has been stoped (kind of trojan
that setup a SERV-U FTP server on port 21 which was also open!).
Everything was cleaned up one week ago and the server seemed to live
again... but, today: new problems!

Problem 1: Event Viewer going crazy! (since the trojan)
One of the problems, the oldest, is that the Event Viewer does not seem
to be updated with some events (e. g. when I get an error message on the
console which usually leads to an error event, there is none in the Event
Viewer) and also sends us regularly two alerts (from the Monitoring and
Reporting stuff of SBS) that have nothing realistic (backup error and
account lockout error when no backup is running and no account has been
locked!)

Problem 2: Exchange services not starting (getting critical... -- since
today!)
Suddenly, since today, the Exchange Services are not starting anymore. I
get the following error warning messages:
"Could not start the Microsoft Exchange System Attendant service on Local
Computer. Error 1075: The dependency service does not exist or has been
marked for deletion."
"Could not start the Microsoft Exchange Information Store service on
Local Computer. Error 1068: The dependency service or group failed to
start."
(all services use "Local System Account" to Log On)

Problem 3: Dependencies are disabled! (severely embarassed! -- since
today!)
The warning messages above are fine... but when I try to get to the
service's properties > dependencies, both the "This service depends on
the following system components" and "The following system components
depend on this service" boxes are disabled and contain an information
ballon "<No dependencies>" (also disabled).

There I am: Event Viewer going crazy, Exchange not starting and
Dependencies disabled. Is anyone having an idea of something to try
before calling PSS? If anybody has experience with PSS: can the solve
this kind of case?

Thanks for your help folks,

Ambroise Nève -- Small Business Specialist (doh!)

Note: I've might have excellent belgian chocolate reward for usefull help
:-))))))))))

Follow-Ups:
- Re: Exchange won't start, problems with the event viewer
  - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Re: Exchange won't start, problems with the event viewer
  - From: chace zhang

References:
- Exchange won't start, problems with the event viewer
  - From: Ambroise Nève
- Re: Exchange won't start, problems with the event viewer
  - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]

Prev by Date: Re: Trust relationship error on XP machine connecting to SBS 2003 Server
Next by Date: RE: Need help, SBS Backup fails but manual backup works.
Previous by thread: Re: Exchange won't start, problems with the event viewer
Next by thread: Re: Exchange won't start, problems with the event viewer
Index(es):
- Date
- Thread

Relevant Pages

RE: DNS and Exchange issues
... with the Exchange Server after you have installed the patch 888619. ... XFOR: Telnet to Port 25 of IMC to Test IMC Communication: ... Start Exchange System Manager. ... Port 21 enables external and internal file transfer ...
(microsoft.public.windows.server.sbs)
Re: MSADC 8355 LDAP Result failed
... I receive 2 when the server restarts. ... Event Category: LDAP Operations ... Opening LDAP session to directory xxx on port 389. ... If you put Exchange on one, ...
(microsoft.public.exchange.setup)
Re: ConfigDSInteg error
... Agreement to point to the new Exchange 2003 server is so that it will have ... You would also change the port ... Any ADC connection agreements configured to point to the SRS would need to ...
(microsoft.public.exchange.admin)
Re: Exchange 2003 - POP3 only delivers email to Administrator
... Server to allow internet users access Exchange through POP3 services, ... Port 21 enables external and internal file transfer ...
(microsoft.public.windows.server.sbs)
Re: ConfigDSInteg error
... Agreement to point to the new Exchange 2003 server is so that it will have ... You would also change the port ... Any ADC connection agreements configured to point to the SRS would need to ...
(microsoft.public.exchange.setup)