Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hijacked exchange mail problem

Status
Not open for further replies.
ctsolutionsbiz

ctsolutionsbiz

IS-IT--Management
Oct 10, 2003
11
0
0
US
A new client is having some trouble with their previous tech still messing with their system. We found entries in several of the lmhosts files on their workstations that point to his company's domain (two of his servers and two entries for his domain.) Then we noticed that their email address appears (in messages they send to us-the reply-to as well as the address of anyone they cc in-house) not as sender@company.com but sender@[xxx.xxx.xxx.xxx] where the x's are the previous tech's ip address (right in between the two ips which the lmhosts files indicate are on his domain.) The emails appearred to go through OK, for the most part.
We imaged the drive and then changed the setting in exchange (maybe 3 weeks ago,) and we have since installed a new server running server and exchange 2003, taking the old one offline.
Today I noticed that the wins database includes active entries for a workstation used by someone who is known to be closely linked to this tech with resource type 87h and 6ah. According to MS, these indicate Microsoft Exchange MTA and Microsoft Exchange IMC. I do not see similar entries for our actual exchange server.

Are these entries likely to be related to to the email hijacking that was going on before, or a sign of some new trouble, or is there an innocent explanation? Any ideas about what the heck could be going on here? In case it's not clear, this 'rogue element' potentially has access to the network from inside the firewall - not at the main office with the server, but at a VPN-connected branch office.

Any input would be appreciated - I've never run into anything like this before and I want to make sure that I'm not missing something important.

Thanks!

Suzy G
 
Sort by date Sort by votes
first and formost have you changed any of the administrator passwords, this can be tricky due to services started by this account. But in these situations it is worth the hassle. As well as locking down other important infrastructure points such as router passwords, lmhosts files (not needed if using wins), vpn accounts. If the old user is not to have access then why can he still have access via-remote site vpn.

Steve Bowman
steve.bowman@ultraex.com

 
Upvote 0 Downvote
We did change all of the admin passwords (we had to reset the routers and a number of the systems to defaults to remove unknown admin pwds.) They didn't have any VPN before (they just had everything connected to NAT routers, and the exchange server open to internet traffic.) We have pretty much locked things down, even to the extent of completely replacing the server, and re-creating all accounts so as not to transfer anything over from the old system. We uninstalled timbuktu from every single computer there, but we have yet to re-image all the workstations (still working on convincing them that we should do it with Win 2000 instead of 98 and ME as they are currently.

We believe that this person still has access because he is very close to someone who is working at one of the branch offices (married, I believe.) So he could have access through there, although now that we've installed the new server and VPNs they are all authenticating to the domain and the 2000 boxes have policies in effect.

Is it possible that her machine is registering with the Wins server for those exchange services because it was set that way before when they were hijjacking the email and now they don't have permission to change it? If they had the mail going through his server, could it get through her computer and onto their exchange server without any sort of obvious configuration of their exchange server? And is her system having those records in Wins preventing our exchange server from having them? I'm a bit at a loss..

Thanks for your help,

Suzy
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

PatrickRoggers
  • Locked
  • Helpful tip
Safest Way to Import PST file into Exchange Online
Replies
0
Views
577
PatrickRoggers
PatrickRoggers
ComputersUnlimited
  • Locked
  • Question
Migrating to Exchange 2019
Replies
0
Views
535
ComputersUnlimited
ComputersUnlimited
Brent Fletcher
  • Locked
  • Question
Exchange rule to remove "✉" icon when it appears in a subject title from a supplier
Replies
0
Views
577
Brent Fletcher
Brent Fletcher
DrB0b
  • Locked
  • Question
Moved to 365 in cloud, cannot get iPhones default mail app to connect
Replies
2
Views
532
Priyanka_Chauhan
Priyanka_Chauhan
stanlyn
  • Locked
  • Question
How to do Certificates on MultiDomain Exchange with Least Cost
Replies
1
Views
536
Wesaf
Wesaf

Part and Inventory Search

Sponsor

Back
Top