Martuz.cn / Gumblar exploit causing Microsoft Exchange 2003 OWA to run extremely slow after login and how to fix this problem.
Martuz.cn / Gumblar Exploit root cause of the OWA problem
Symptoms of Microsoft Exchange 2003 Outlook Web Access and martuz.cn JavaScript virus infection
Within the last few days one of our main Exchange 2003 Server Outlook Web Access became painfully slow. Symptoms were related to main browser window in Internet Explorer displaying just the vertical bar that separates the folders and the message area and getting stuck there for about 30 seconds and then finally loading the rest of the page. Double clicking and opening a message would pop open the blank message window with a http://your servername…. In the lower left hand status bar of the pop up window and finally after about 30 seconds would load the window. Same thing would happen composing a new mail message in OWA. Everything worked normally accept that tasks became slower for users in OWA.
Martuz.cn JavaScript virus infection detection
We are running the latest version of Symantec Norton Endpoint Security which did not report any virus, Trojans, or spywares on the Exchange 2003 server. Looking further into the situation we noticed that when the browser window for the Outlook Web Access opened the task bar of the browser window would display http://yourservername…. and then would change to http://martuz.cn/vid/… for a few seconds and OWA window would finally open. This indicated some infection. Our analyses showed that OWA was running an infected java script within the OWA pages that caused the problem to appear. Apparently Symantec End Point Security on had no clue about this infection and we are still unsure about how server got infected. Googling and doing the research we have seen reports of PHP exploit or FTP exploit for the cause of the infection of the virus.
Martuz.cn JavaScript virus infection removal
First of all to see if you have the same problem as described here by logging into to the OWA account and watch at message on the bottom left side of the task bar of the browser window after the login which would say “Waiting for http://yourservername/exchange” if at any time it changes to waiting for http://martuz.cn… And then disappears you have the same problem.
Download and install the Microsoft Forefront Client Security trial version and install on the server, we left Symantec End Point Security running at the same time without any problem. Scan your entire Exchange installation folder only on your server for a quick check. If you see the message related to Gumblar Trojan then you server is infected. Infected files will be in \Exchsrvr\exchweb\controls and or D:\Exchsrvr\exchweb\6.5.7651.60 or something similar. Backup the entire exchweb folder just in case. Chose the option to remove the virus infected file. Re-install Exchange 2003 Service Pack which would re-populate the files removed by the anti-virus software.
Summary:
Martuz.cn / Gumblar is a JavaScript exploit that inserts itself into the legitimate OWA files. There is no definite known cause of how this virus gets installed on the server. Microsoft Forefront Security client seems to do a good job of detecting and removing the virus. You need to re-install service pack in order to re-introduce the files removed during the virus removal.
What is Phishing?
Phishing is a fraudulent act committed by individuals who want to gain access to sensitive personal information for an array of purposes. Contrary to what many believe one of the best ways you can protect yourself from phishing isn’t to install defense programs or increase security measures, but instead to learn how to recognize a phish.
The most common form of phishing requires the use of email. These emails usually appear to originate from a well organized financial establishment and ask for personal information that if placed in the wrong hands automatically puts you at great risk. A “legitimate” phish will most likely ask you at one point and time for your credit card number, social security number, account number or password. Many times phishing effort s seem to come from sites with which you do not even have an account with, giving you all the more evidence which will allow you to discover if indeed the email is a phishing attempt. It isn’t uncommon for a phishing email to instruct you to click on a link which will redirect you to a site where you’re expected to enter personal information. Authentic organizations should and will never ask you to confirm this information via email.
High Cost Effects of Spam on Businesses
What is Spam?
Spam can be generalized and defined as unsolicited emailing that’s usually sent out to several email addresses in bulk. Spam emailers have created their own “gated” community within the Internet; they’ve separated themselves from all politics and rules pertaining to the Internet and have constructed their own methods. This is being produced by all sorts of individuals and organizations in order to reach a wide set of audience, as they use this method to send endless amounts of emails and advertisements that flood your mailboxes on a daily basis.
Effects on Businesses
It isn’t a secret that many businesses heavily rely on the Internet, thus allowing them to grow and expand as time progresses. However if a business’s backbone is the Internet then in return bandwidth is the Internets back bone and support as well. When a message is sent to a network this action takes up bandwidth. Depending on the size of the message and the quantity depends on the amount of bandwidth utilized. A larger than usual message or mass quantities of messages will normally take up a great deal of bandwidth, which consequently will slow down a business’s network and Internet.
There have been studies that suspect spam for accounting as much as 50% of some businesses networks, this means that these businesses are only using about 50% of their resources, thus in return possibly hindering their growth and increasing unnecessary expenditure. It is a mission at times to reduce or even eliminate spam, however obtaining the right spam filter is the solution. Spam filters rely on a set of rules, regulations and if I may say so “politics” in order to catch and filter out the impractical emails. Determining your businesses needs and assessing the budget is one of the first steps in order to gain control of the unwanted emails. Read more »
DNS Root Name Servers Explained
A DNS Root Name server is a server that answers on behalf of the DNS root Zone, and redirects requirements for a given TLD (Top Level Domain) to that particular TLD’s name servers. The term “root name server” is normally used to describe the thirteen organizations often referred to as the “root server operators”. They implement the root namespace domain for the Internet’s official universal implementation of the Domain Name System. The original thirteen members in alphabetical order are; A - VeriSign Global Registry Services ,B - Information Sciences Institute ,C - Cogent Communications ,D - University of Maryland ,E - NASA Ames Research Center ,F - Internet Systems Consortium, Inc. ,G - U.S. DOD Network Information Center ,H - U.S. Army Research Lab ,I - Autonomica/NORDUnet ,J - VeriSign Global Registry Services ,K - RIPE NCC ,L - ICANN ,M - WIDE Project. Global
Incidentally, the letters A-M represent the 13 numeric IPv4 addresses at which the service is provided. Each operator is tasked with providing consistent DNS service to the Internet from their specific address.
The empty string after the final dot in a domain name is called the root domain, and all other domains like .org, .net, etc are enclosed within the root domain. A computer connected to the Internet resolves a domain name by asking every name server about the element to its left working its way from the right. The root name servers know which servers are responsible for the top-level domains like .com and .org, which have their own servers. These servers then query name servers responsible for particular domain names, which in turn answers queries for IP addresses of sub domains.
Why Spamming is a Profitable Enterprise
Did you ever wonder how spammers can stay in business? Although the cost of sending email is cheap, does anybody, in this day and age, ever click through on spam? Scientists at the University of California successfully infiltrated the Storm Virus, and were able to provide some unique insights into the conversion rate of spam. It turns out that almost nobody clicks on spam, as you’d suspect. And it turns out that “almost nobody,” which translates to 1 in 12 million, is more than enough for spammers to turn a tidy profit. If only legitimate email marketers could bank on the same ratio!
MS Exchange 2007 Mailbox Server Storage Cost Calculator
MSExchangeTeam.com has posted a very useful article about the Microsoft Exchange 2007 Mailbox Server Storage Cost Calculator.
In order to move forward with various designs like large mailboxes, IT departments need to understand one of the chief costs associated with Exchange mailbox servers, namely storage. To that end, the Exchange 2007 Mailbox Storage Cost Calculator is designed to help you determine a portion of the mailbox server cost, namely the disk cost (purchase price and lifecycle power and cooling costs). The calculator helps in two ways:
1. The calculator compares a series of storage design configurations and determines their respective costs. The underlying goal here is two-fold:
a. To show that you can achieve the same capacity and I/O requirements utilizing Small Form Factor SAS disks for relatively the same cost as Large Form Factor FC disks.
b. To show that there are other disk solutions (e.g., SATA) that can be viable and reduce the disk footprint cost.
2. In the situation where you are unsure whether you want to deploy Single Copy Clusters (SCC) or Cluster Continuous Replication (CCR), the calculator can compare SCC+SAN disk configurations against CCR+DAS disk configurations from a cost perspective.
Read the full MS Exchange 2007 Storage Cost Calculator Article
Exchange 2007 Service Pack (SP) 1
Microsoft recently released Exchange 2007 SP1. The Service Pack features improvements in the following areas: Client Access Improvements, Protection & Availability improvements, Transport Improvements, Mailbox Role Improvements, and Unified Messaging Improvements. ExchangeIS provides a detailed writeup of all of Exchange 2007 SP1’s features.
Exchange 2007 Mail Flow (DNS Records, Connectors and TLS)
Elan Shudnow has written a detailed post on how you should configure DNS for Exchange 2007. Here’s the summary of his article:
A lot of people are confused as to how exactly you should configure DNS for Exchange 2007. But this isn’t just limited to DNS, but how do you set up your Send Connectors, Receive Connectors, how both connectors relate to DNS and the SMTP banner, and how to allow your Connectors to advertise TLS to the outside world.
For Elan Shudnow’s complete explanation - which contains detailed screenshots and more, follow this link: Exchange Server 2007 Mail Flow.
