TJ
Hi,
Last week, my Windows 2000 server was hacked. Initially,
the only damage I could see was an FTP and IRC server
being installed. I removed these within a few hours of
when they were installed (I was out when it actually
happened). After I removed the programs, I decided to add
some extra security by placing the Win2K server behind a
Linux machine that would only forward ports 80, 25, 110,
and 53 to the Win2K server, and block all else. I also
took the Win2K server off of the public IP and put it on a
new private IP.
After I had worked out some of the bugs on the client side
of this new setup, I thought all was well. The next day,
when I came into work, people were complaining about slow
email response. A quick look at the server revealed the
problem. The hacker had also changed my routing settings
in Exchange (5.5). He had managed to relay 10,000 emails
off of my server.
So I put the routing settings back to normal, and thought
it was all working, that's where my new problem comes in.
NAV for MS Exchange would not start. I put it into debug
mode, and checked the log that it created. Apparently, the
problem (or at least one of them) was that the port for
web administration (8080) was being used. No, I knew that
I didn't have anything on that port, and "netstat -a"
confirmed this. I then tried some other software. Every
program that tried to open a port on the server said the
port was in use, no matter what port it was. However, a
simple check with telnet shows nothing listening on the
port. The only things that do work properly are my
Microsoft services (IIS, Exchange, DNS, DCHCP, WINS).
Why does my Windows 2000 server think all of it's ports
are being used, when everything else says no?
Any help would be appreciated. I am currently running
Exchange without NAVMSE, and with all the recent email
viruses, I want to get it back up as soon as possible.
Last week, my Windows 2000 server was hacked. Initially,
the only damage I could see was an FTP and IRC server
being installed. I removed these within a few hours of
when they were installed (I was out when it actually
happened). After I removed the programs, I decided to add
some extra security by placing the Win2K server behind a
Linux machine that would only forward ports 80, 25, 110,
and 53 to the Win2K server, and block all else. I also
took the Win2K server off of the public IP and put it on a
new private IP.
After I had worked out some of the bugs on the client side
of this new setup, I thought all was well. The next day,
when I came into work, people were complaining about slow
email response. A quick look at the server revealed the
problem. The hacker had also changed my routing settings
in Exchange (5.5). He had managed to relay 10,000 emails
off of my server.
So I put the routing settings back to normal, and thought
it was all working, that's where my new problem comes in.
NAV for MS Exchange would not start. I put it into debug
mode, and checked the log that it created. Apparently, the
problem (or at least one of them) was that the port for
web administration (8080) was being used. No, I knew that
I didn't have anything on that port, and "netstat -a"
confirmed this. I then tried some other software. Every
program that tried to open a port on the server said the
port was in use, no matter what port it was. However, a
simple check with telnet shows nothing listening on the
port. The only things that do work properly are my
Microsoft services (IIS, Exchange, DNS, DCHCP, WINS).
Why does my Windows 2000 server think all of it's ports
are being used, when everything else says no?
Any help would be appreciated. I am currently running
Exchange without NAVMSE, and with all the recent email
viruses, I want to get it back up as soon as possible.