Re: Exchange won't start, problems with the event viewer

"Almost" wouldn't cut it in my State.

This needs a good PSS Security review IMHO.

I'm still not ready to trust this box and nasty stuff loves to mess up event logs.

Call PSS and ask for a Security review on this box.

Ambroise Nève wrote:
Hi Susan, and thank you for your answer.

Port 21 was open and MS FTP server was running (for suppliers). This was working fine too. The trojan was running an FTP server (SERV-U) on the same port which allowed us to find it out!

I'm (almost) sure it's clean because all processes used before are now deleted and all "fake services" it created have been disabled. By the way, nothing is harming anymore (FTP is running, bandwidth is normal, no wierd processes running etc.) I've also run a complete scan with the installed AV (F-Secure).

Exchange depends on the Event Log, that is true. It seems to have some wierd behaviors. That could be the clue indeed. Is there anyway to reinstall or repair the Event Viewer?

What about the disabled dependencies? Would you have a clue for this?

Thanks again,

Ambroise


"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx> wrote in message news:ezaH4n8yGHA.4796@xxxxxxxxxxxxxxxxxxxxxxx
Port 21 isn't open unless you choose to open it up. What kind of firewall do you have?

Look for those event codes and filter on those... also are you sure you can trust this server anymore?

What have you done to truly assure yourself that it has been cleaned completely from the impact of this?

The Exchange depends on the Event log and if it is horked up .... that could be a reason as well.

First let's step back a bit to ensure that this box has been cleaned.. as once it's been hacked..truly the only way to clean it up is via flattening and reinstalling to get it back to a trusted condition.

Ambroise Nève wrote:
Hi Everybody,

New problem of the day :-)

One of my customers server was hacked (I presume because we forgot to setup SP4 for SQL Server -- the port was open to the outside world for business purposes!). Anyways, the threat has been stoped (kind of trojan that setup a SERV-U FTP server on port 21 which was also open!). Everything was cleaned up one week ago and the server seemed to live again... but, today: new problems!

Problem 1: Event Viewer going crazy! (since the trojan)
One of the problems, the oldest, is that the Event Viewer does not seem to be updated with some events (e. g. when I get an error message on the console which usually leads to an error event, there is none in the Event Viewer) and also sends us regularly two alerts (from the Monitoring and Reporting stuff of SBS) that have nothing realistic (backup error and account lockout error when no backup is running and no account has been locked!)

Problem 2: Exchange services not starting (getting critical... -- since today!)
Suddenly, since today, the Exchange Services are not starting anymore. I get the following error warning messages:
"Could not start the Microsoft Exchange System Attendant service on Local Computer. Error 1075: The dependency service does not exist or has been marked for deletion."
"Could not start the Microsoft Exchange Information Store service on Local Computer. Error 1068: The dependency service or group failed to start."
(all services use "Local System Account" to Log On)

Problem 3: Dependencies are disabled! (severely embarassed! -- since today!)
The warning messages above are fine... but when I try to get to the service's properties > dependencies, both the "This service depends on the following system components" and "The following system components depend on this service" boxes are disabled and contain an information ballon "<No dependencies>" (also disabled).

There I am: Event Viewer going crazy, Exchange not starting and Dependencies disabled. Is anyone having an idea of something to try before calling PSS? If anybody has experience with PSS: can the solve this kind of case?

Thanks for your help folks,

Ambroise Nève -- Small Business Specialist (doh!)

Note: I've might have excellent belgian chocolate reward for usefull help :-))))))))))




.

Relevant Pages

  • Re: Exchange wont start, problems with the event viewer
    ... One of my customers server was hacked (I presume because we forgot to setup SP4 for SQL Server -- the port was open to the outside world for business purposes!). ... Suddenly, since today, the Exchange Services are not starting anymore. ... Problem 3: Dependencies are disabled! ...
    (microsoft.public.windows.server.sbs)
  • Re: Exchange System Manager Problem - "Folders, SSL Cert"
    ... I called PSS and opened a $245/USd support ticket for this one. ... None of us (including the Exchange and IIS engineers) know what exactly ... De-Install SBS2k3 SSL cert. ... > "The SSL certificate server name is incorrect. ...
    (microsoft.public.windows.server.sbs)
  • Re: KB831572 - The SMTP service on your Exchange 2000 Server computer may stop responding
    ... Call PSS and open a support incident with them. ... uninstall/reinstall IIS, then reinstall Exchange. ... > We're having major problems with this issue on our Exchange 2000 server ... > Any ideas what to do next when the Hotfix doesn't solve the problem? ...
    (microsoft.public.exchange2000.general)
  • Re: DST Patch issues?
    ... My PSS was non-dec'ed as there is a bug report open on this. ... Computer: <my server> ... Make sure Microsoft Exchange Store is running. ...
    (microsoft.public.exchange.admin)
  • Re: Need to convert mail to Exchange 2007, but worried
    ... Exchange and its dependencies (Active Directory, DNS, firewall/network, ... Active Directory network environment) to Exchange server. ...
    (microsoft.public.exchange.admin)