2 part Exchange 5.5 issue

From: NOBI (NOBI_at_discussions.microsoft.com)
Date: 08/11/04 

Date: Wed, 11 Aug 2004 09:43:09 -0700

This is a whopper of an issue. Two parts. Sorry so big but I wanted to
include as much info as I possibly could. Here goes...

1) While reviewing my event log monitor the other day I came across some
some odd entries from my mail server. Following is an exampe of one. We have
no account named GENERAL
************************************************************

Event ID : 681
Event Importance : High importance event
Date & Time : 8/6/2004 - 6:48:28 AM
Rule Triggered : Logon to account failure - 681 - Outside NOT - High -
Win2k/Win2003 DC
Computer : ***-DC2
Event Log : Security
Event Source : Security
Event Category : Account Logon
Event Type : Failure Audit
S.E.L.M. Event ID : 1091537734_000000000277595
User Name : NT AUTHORITY\SYSTEM
Operating System : Windows 2000 Domain Controller

The logon to account: general
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: ***-MAIL
failed. The error code was: 3221225572
More Information:

************************************************************
I have also found the same error looking for accounts such as abc, abc1,
asdfg, asdfghjkl, web1, etc... These all take place after normal hours of
operation.

(I also notice quite a few of these for actual user accounts every night. Is
this Kerberos related? How can I tell?)

2) When I went to check my Exchange 5.5 server i was confronted with the
following two messages from my virus detection software
************************************************************

The JScript/Suzzer.Downloader.Trojan was detected in C:\EXCHSVR\IMCDATA\IN\
Machine: ***-Mail, User: ***\Administrator
File Status: Cured

The HTML/ObjectDataHTA.Trojan was detected in C:\EXCHSVR\...\Q13VY1CG
Machine: ***-MAIL, User: ***\Administrator
File Status: Cure Failed, File renamed.

************************************************************
I Found the Q13VY1CG file and deleted it. Have had no more messages today.
NOW... Here are my questions. Could these two issues be related?
Has my mail server been compromised?
What steps do I take now?

Thanks for any help.

 

Relevant Pages

  • 2 Part Exchange 5.5 issue
    ... some odd entries from my mail server. ... Event Category: Account Logon ... Operating System: Windows 2000 Domain Controller ... following two messages from my virus detection software ...
    (microsoft.public.windows.server.general)
  • Operating system specific calls.
    ... configuration of their account on a mail server my company maintains. ... command scripts and the like on the operating system. ...
    (comp.lang.java.programmer)
  • Operating system specific calls.
    ... configuration of their account on a mail server my company maintains. ... command scripts and the like on the operating system. ...
    (comp.lang.java.programmer)
  • Re: windows mail
    ... Open the mail program (Outlook Express. ... Change the incoming mail server to mail.personainternet.com, ... Select your email account from the list and click "Change". ...
    (microsoft.public.windows.vista.mail)
  • Re: Windows Security Pop-Up Requires Logon for WinMail Retrieval
    ... Are all three computers downloading mail from the same mail server? ... I suggest getting a free Gmail or Hotmail account and setting that up ... in your Windows Mail. ... Which antivirus are you running? ...
    (microsoft.public.windows.vista.mail)
Loading