ctsolutionsbiz
IS-IT--Management
A new client is having some trouble with their previous tech still messing with their system. We found entries in several of the lmhosts files on their workstations that point to his company's domain (two of his servers and two entries for his domain.) Then we noticed that their email address appears (in messages they send to us-the reply-to as well as the address of anyone they cc in-house) not as sender@company.com but sender@[xxx.xxx.xxx.xxx] where the x's are the previous tech's ip address (right in between the two ips which the lmhosts files indicate are on his domain.) The emails appearred to go through OK, for the most part.
We imaged the drive and then changed the setting in exchange (maybe 3 weeks ago,) and we have since installed a new server running server and exchange 2003, taking the old one offline.
Today I noticed that the wins database includes active entries for a workstation used by someone who is known to be closely linked to this tech with resource type 87h and 6ah. According to MS, these indicate Microsoft Exchange MTA and Microsoft Exchange IMC. I do not see similar entries for our actual exchange server.
Are these entries likely to be related to to the email hijacking that was going on before, or a sign of some new trouble, or is there an innocent explanation? Any ideas about what the heck could be going on here? In case it's not clear, this 'rogue element' potentially has access to the network from inside the firewall - not at the main office with the server, but at a VPN-connected branch office.
Any input would be appreciated - I've never run into anything like this before and I want to make sure that I'm not missing something important.
Thanks!
Suzy G
We imaged the drive and then changed the setting in exchange (maybe 3 weeks ago,) and we have since installed a new server running server and exchange 2003, taking the old one offline.
Today I noticed that the wins database includes active entries for a workstation used by someone who is known to be closely linked to this tech with resource type 87h and 6ah. According to MS, these indicate Microsoft Exchange MTA and Microsoft Exchange IMC. I do not see similar entries for our actual exchange server.
Are these entries likely to be related to to the email hijacking that was going on before, or a sign of some new trouble, or is there an innocent explanation? Any ideas about what the heck could be going on here? In case it's not clear, this 'rogue element' potentially has access to the network from inside the firewall - not at the main office with the server, but at a VPN-connected branch office.
Any input would be appreciated - I've never run into anything like this before and I want to make sure that I'm not missing something important.
Thanks!
Suzy G