Fix Hacked Exchange 5.5 Server

[Chris1701]

I’ve been fighting a non-stop virus / worm / trojan attack for the better part of a month, and even though our anti-virus software is the latest and up to date I’m still having some problems with this garbage bypassing the real time protection and managing to run on various machines.

One of the things I discovered going over all the machines and logs is that it appears that at some point our Exchange 5.5 server was compromised by some type of backdoor NT hack and that some changes were made to the system before I managed to remove the backdoor program. I’m now trying to undo what was done to it and I’m having a couple problems that I can’t seem to find the answer to.

First off almost all of the systems services no longer appear in the services applet in the control panel, the ArcServe services appear along with Computer Browser and Content Index and that’s it. Using a command prompt I can still see them, stop and start them but it’s a real problem that they don’t appear in the services applet. (See next problem)

Second, while it was compromised I’m almost positive that some changes were made to the system security, although I’m not sure exactly what was done. (I’m wondering if that may be what the problem is with the services applet) I have a suspicion that my administrator password may have somehow been stolen, so I changed the password in the domain for administrator. Now it appears that during the daily late night backup where ArcServe stops the Exchange Server long enough to back up everything when it ran the batch file to start the Exchange Services again those services wouldn’t start and I get a login failure error message. I found a couple references to similar problems on MS’s site but they refer to the Small Business Server and to changing the Exchange Server 5.5 service account. Neither of the fixes seem to be applicable to this problem, this is just an standard NT 4 server running Exchange 5.5. I briefly changed the password back and was able to start the Exchange services, after which I changed the password again but when the server stops for the backup tonight it won’t be able to start again.

I’ve considered backing up, formatting and reinstalling the system but the problem there is that I’m not the consultant who originally installed this (that company is out of business and I have no way to locate anyone from there) and while I’ve been able to locate the NT 4 server CD’s I don’t think that the original installer gave these guys their Exchange Server CD’s and I don’t have access to those from any other source so I need to try to fix the existing system without a reinstall. Does anyone have an idea how to go about fixing this.

 

[dennisbbb]

First of all, reboot the system to see if things come back the way it should.

You can subsequently

1) Apply the latest service patch for NT4 (sp6a) and postsp6a fixes.
2) Apply latest service patch for Exchange SP4 and postSP4 fixes.

If you still don't see any of the services, try a reinstall of NT4 server, and of course if need to, reinstall Exchange 5.5 server.

If all else failed, tear it down and reinstall.

 

[DSpen]

Each service that is set to start automatically was set up with the admin account name and password. Now that you have changed the password, these services cannot start automatically and you have to manually type the password in. Once you fix your "missing services" problem, you should be able to change the passwords on those services.

To check for the presence of trojans, look in \winnt\system32 folder, arrange by date and look for recent .exe files with unusual random looking filenames. These are almost always trojans. I kept getting them on our mailserver daily, an old one called defragfat32 was running on startup allowing more of the most recent trojans to be dropped.

Also run regedit and check the following to see if any of those exes are loading at startup:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

If you find any, delete those individual named exes on the right hand side. You may want to export your registry first just as a backup so you can re-import if you delete something you shouldn't have.

You can check to see what sites your exchange server is connected to by doing the following in DOS:-
netstat -an > netlog.txt
edit netlog.txt

This will give you a list of IP addresses your server's IP address is connected to and also each source and destination port. I noticed on ours, there were a lot of persistant connections to other sites, not using the mail port 25. I configured our firewall with the following rules for external email:
allow anything out from exchange server to internet
allow in any port from the internet to port 25
allow in port 25 from the internet to any port

 

[ImWoody]

Chris,
If the server has been compromised, then you really have no other choice but to reformat and reload. That's the only way you'll ever have piece of mind and know that any future issues are not a result of some trojan. Getting a CD in not a problem if you have a legit license. Just call any Microsoft certified software reseller and they can sell you a fulfillment CD for $25. The easiest method, if you have another server available is the one detailed in Microsoft Knowledge base article # Q155216 about migrating the public and private stores over to a new server with the same name.

Hope this helps.

ImWoody