And it is Spam, not a hack. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com
> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Keith Purtell > Sent: Monday, March 31, 2003 2:11 PM > To: Declude JunkMail (E-mail) > Subject: [Declude.JunkMail] Possible exploit on mail server > > Don't know if this is related to spam or not... This morning I logged onto the NT4 > server where we > host both our web and mail server. Immediately noticed a Messenger Service box > (like you get with > "net send" from dos prompt) containing a typical spam message (edited): "From our > Research Dept ... > Work From Home ... Type this address in your browser ..." > > First I went into the Task Manager where confirmed it really was the Messenger > Service (csrss) being > used. Then I made sure the service executable had not been modified. Then I ran > F-Prot to make sure > there were no known viruses. Then I ran a tracert on the IP address mentioned in > the spam. Then I > checked the event log, but didn't have any relevant entries. Then I ran a recent > Critical Update > from the Microsoft site, just in case it applied to what I was seeing. I rebooted and > the message is > gone, but I don't know how they got in. There are only a few accounts on this > server. IUSR and IWAM, > administrator, myself and my boss, and a special account for FTP access. Any > ideas? > > Keith Purtell, Web/Network Administrator > VantageMed Operations (Kansas City) > Email: [EMAIL PROTECTED] > > CONFIDENTIALITY NOTICE: This email message, including any attachments, is > for the sole use of the > intended recipient(s) and may contain confidential and privileged information. Any > unauthorized > review, use, disclosure or distribution is prohibited. If you are not the intended > recipient, please > contact the sender by reply email and destroy all copies of the original message. > > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
