Exchange 2000 server!
How do you tell if you have been hacked and set up as a relay for a spammer?
Here is the problem.
Starting Thursday afternoon, 8-28-03 our server started getting real slow.
Memory was maxed and processors were running at 60-85% constantly.
In event viewer under applications we are getting errors at the rate of 938 every 15 sec. There is 5 different errors and they repeat randomly. An example is;
The file document_all.pif is infected with '_'. Detected with scann engine4.1.60 DAT version 4.1.4287.(from WIS-Exchange Serial# 0000068a 0000b644 78b4a383 ip 10.1.100.5 user SYSTEM running groupshied 5.20.664.0 AVExch32)
The only differences in the 5 errors is the file name.
All 5 errors point to teh W32Sobig.f. I have all patches in place, the virus protection is up to date, I have done an on demand scan, and I have manually searched for the files Sobig leaves behind.
The server is clean.
Can someone be using us for a Relay or could this be a DNS attack.
Thank You!
How do you tell if you have been hacked and set up as a relay for a spammer?
Here is the problem.
Starting Thursday afternoon, 8-28-03 our server started getting real slow.
Memory was maxed and processors were running at 60-85% constantly.
In event viewer under applications we are getting errors at the rate of 938 every 15 sec. There is 5 different errors and they repeat randomly. An example is;
The file document_all.pif is infected with '_'. Detected with scann engine4.1.60 DAT version 4.1.4287.(from WIS-Exchange Serial# 0000068a 0000b644 78b4a383 ip 10.1.100.5 user SYSTEM running groupshied 5.20.664.0 AVExch32)
The only differences in the 5 errors is the file name.
All 5 errors point to teh W32Sobig.f. I have all patches in place, the virus protection is up to date, I have done an on demand scan, and I have manually searched for the files Sobig leaves behind.
The server is clean.
Can someone be using us for a Relay or could this be a DNS attack.
Thank You!