Exchange Server crashed big time - Tilted Forum Project Discussion Community

vanblah · 11-14-2005, 08:27 PM

OK. Before I start let me tell you that it's not MY idea to be running Exchange. That edict was handed down to me by the powers-that-be.

I'm currently in the middle of a 14 hour day ... yep, I'm facing another possible 14 hours before i can go home ... I've been on the phone with Microsoft for about 3 hours now. They're looking into it.

Basically, at around 5:30PM, all the trans. logs for Exchange just disappeared. For every database. Here's the kicker ... we DON'T have file level antivirus running on that server (we do use a product designed specifically for Exchange by Symantec); there was no power outage; there is no hard drive failure. Just ***POOF*** the log files are all gone. Anyone ever seen that?

Here's where it gets worrisome. The Event logs were all cleared at around 5:30 as well as the W3SVC log files. It's as if someone or something erased them ... scary. We have no idea what happened before that time.

My only recourse is to restore from yesterday's backup (today's hasn't run yet). We'll lose all of today's email.

Of course, we could repair and defrag the db's but that would take about another 20 or so hours (70GB of dbs).

So my questions are: ... has anyone ever witnessed Exchange log files just vanish AND what are your thoughts on the possibility that we were compromised? We don't have a wide open firewall ... but port 80 is open of course ... on the Exchange server. I'd love to run a FE/BE set up (or no Exchange at all) but we don't have the money for that.

On the bright side: I get to stay home tomorrow ... and sleep.

Doug

vanblah · 11-15-2005, 05:06 AM

Well, it looks like we were hacked. Microsoft security has requested that we let them look at the box.

I'm in the process of bringing up a new exchange server now. Loads of fun. 23 hours at work today and counting.

cyrnel · 11-15-2005, 06:21 AM

Eesh.

When the logs vanish from multiple services there aren't many other possibilities.

Good luck. That's not an eviable job.

JStrider · 11-15-2005, 08:51 AM

OI

thats no fun at all... hope you get a day or 2 off after this!

bendsley · 11-16-2005, 11:53 AM

First of all, I'm going to say that Exchange is one of the best out there, be it from Microsoft or not. Millions of companies use it, there is a huge support base and it's upgraded quite regularly compared to some of Microsoft's other software.

What version of Exchange are you running? 5.5, 2003? Also, are you running Standard or Enterprise? The information and log stores on Standard edition only allow 16gb for each store. If you hit that size level, the stores will actually dismount with no warning. The Enterprise version will allow unlimited space usage for stores.

I'm assuming you have looked at the system and application logs in the System Manager? I'm surprised that nothing else is missing. And too, so you lost some email, at least you're doing backups and should be able to retrieve those, and any people sending your company stuff should be able to resend at your request.

Good luck.

vanblah · 11-16-2005, 10:12 PM

We are running Exchange Server 2003 Enterprise. It is great at what it does. However, the technology is a little dated at this point -- it seems to be stuck in 1998 as far as db technology goes. Can't dump the database; no mirrored transaction logs etc. etc.

I'm really not knocking it though.

As with any Microsoft product the support is really good. The Exchange team was very thorough with trying everything to get the stores to mount.

As for the Event Viewer (system and application logs) they were wiped.

We did see something in IPAudit that was a little strange at the time the Exchange server started to crash. Of course, it only confirms our suspicions; but it doesn't give us any culprit. We're fairly certain that it wasn't a student ... which is probably the most important thing.

I'm just glad the ordeal is semi-over now. I'm just tying up loose ends now ... re-applying OWA customizations etc. It ended up being 28 straight hours for me.

11-14-2005, 08:27 PM	#1 (permalink)
vanblah Junkie	Exchange Server crashed big time OK. Before I start let me tell you that it's not MY idea to be running Exchange. That edict was handed down to me by the powers-that-be. I'm currently in the middle of a 14 hour day ... yep, I'm facing another possible 14 hours before i can go home ... I've been on the phone with Microsoft for about 3 hours now. They're looking into it. Basically, at around 5:30PM, all the trans. logs for Exchange just disappeared. For every database. Here's the kicker ... we DON'T have file level antivirus running on that server (we do use a product designed specifically for Exchange by Symantec); there was no power outage; there is no hard drive failure. Just *POOF* the log files are all gone. Anyone ever seen that? Here's where it gets worrisome. The Event logs were all cleared at around 5:30 as well as the W3SVC log files. It's as if someone or something erased them ... scary. We have no idea what happened before that time. My only recourse is to restore from yesterday's backup (today's hasn't run yet). We'll lose all of today's email. Of course, we could repair and defrag the db's but that would take about another 20 or so hours (70GB of dbs). So my questions are: ... has anyone ever witnessed Exchange log files just vanish AND what are your thoughts on the possibility that we were compromised? We don't have a wide open firewall ... but port 80 is open of course ... on the Exchange server. I'd love to run a FE/BE set up (or no Exchange at all) but we don't have the money for that. On the bright side: I get to stay home tomorrow ... and sleep. Doug

11-15-2005, 06:21 AM	#3 (permalink)
cyrnel Adequate Location: In my angry-dome.	Eesh. When the logs vanish from multiple services there aren't many other possibilities. Good luck. That's not an eviable job. __________________ There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195

11-15-2005, 08:51 AM	#4 (permalink)
JStrider Poo-tee-weet? Location: The Woodlands, TX	OI thats no fun at all... hope you get a day or 2 off after this! __________________ -=JStrider=- ~Clatto Verata Nicto

11-16-2005, 11:53 AM	#5 (permalink)
bendsley Professional Loafer Location: texas	First of all, I'm going to say that Exchange is one of the best out there, be it from Microsoft or not. Millions of companies use it, there is a huge support base and it's upgraded quite regularly compared to some of Microsoft's other software. What version of Exchange are you running? 5.5, 2003? Also, are you running Standard or Enterprise? The information and log stores on Standard edition only allow 16gb for each store. If you hit that size level, the stores will actually dismount with no warning. The Enterprise version will allow unlimited space usage for stores. I'm assuming you have looked at the system and application logs in the System Manager? I'm surprised that nothing else is missing. And too, so you lost some email, at least you're doing backups and should be able to retrieve those, and any people sending your company stuff should be able to resend at your request. Good luck. __________________ "You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane."

11-15-2005, 05:06 AM	#2 (permalink)
vanblah Junkie	Well, it looks like we were hacked. Microsoft security has requested that we let them look at the box. I'm in the process of bringing up a new exchange server now. Loads of fun. 23 hours at work today and counting.

11-16-2005, 10:12 PM	#6 (permalink)
vanblah Junkie	We are running Exchange Server 2003 Enterprise. It is great at what it does. However, the technology is a little dated at this point -- it seems to be stuck in 1998 as far as db technology goes. Can't dump the database; no mirrored transaction logs etc. etc. I'm really not knocking it though. As with any Microsoft product the support is really good. The Exchange team was very thorough with trying everything to get the stores to mount. As for the Event Viewer (system and application logs) they were wiped. We did see something in IPAudit that was a little strange at the time the Exchange server started to crash. Of course, it only confirms our suspicions; but it doesn't give us any culprit. We're fairly certain that it wasn't a student ... which is probably the most important thing. I'm just glad the ordeal is semi-over now. I'm just tying up loose ends now ... re-applying OWA customizations etc. It ended up being 28 straight hours for me.