SIGforum
Microsoft Exchange Issue
March 29, 2021, 12:30 PM
AUTiger89Microsoft Exchange Issue
Okay, we use Exchange on our in-house mail server. It's running on Windows Server 2012 R2.
Saturday night it stopped working. I checked Sunday and a bunch of the Exchange services aren't started, and won't start manually. I tried to run Windows Update, and it tells me there's a security update for Exchange. When I try and run it, I get error 80070643, which I find indicates that there is an issue with the .NET Framework installation. So I try and run the .NET Framework repair tool, and it tells me it can't repair the installation.
Things I have tried:
1. Renaming the SoftwareDistribution folder (stopping WUAUSERV and BITS).
2. Rebooting
3. Shutting down my anti-virus while doing all of this. I did run AV just to check for viruses.
4. Running the .NET Framework Repair Tool. It un-registers, re-registers, and re-starts the Windows Installer service, then tries to repair the framework (v4.8), but doesn't fix the problem. I checked the logs, but didn't see anything that jumps out at me.
5. I ran SFC to see if it could repair the system files. Found no files in need of repair.
Any suggestions?
Phone's ringing, Dude. March 29, 2021, 12:35 PM
ShaqlYou're aware of the massive exchange hack, right?
https://www.cbsnews.com/news/m...r-hack-what-to-know/
Hedley Lamarr: Wait, wait, wait. I'm unarmed.
Bart: Alright, we'll settle this like men, with our fists.
Hedley Lamarr: Sorry, I just remembered . . . I am armed.
March 29, 2021, 12:48 PM
AUTiger89quote:
Originally posted by Shaql:
You're aware of the massive exchange hack, right?
https://www.cbsnews.com/news/m...r-hack-what-to-know/
No, I wasn't. Ugh.
But I kept my servers updated.
Working on the response measures now. Thanks for the heads-up!
Phone's ringing, Dude. March 29, 2021, 01:12 PM
smschulzWhat is your Exchange version?
March 29, 2021, 01:25 PM
AUTiger89quote:
Originally posted by smschulz:
What is your Exchange version?
2013
Phone's ringing, Dude. March 30, 2021, 06:43 AM
henryazquote:
Originally posted by AUTiger89:
No, I wasn't. Ugh.
But I kept my servers updated.
Thousands were compromised before MS could get the patches out. Also in the brief period before patches were applied. Many have been hacked by multiple hacking groups. There are still many out there that are unpatched.
The compromise gives the hacker complete Administrative access to the server. ASFAIK, nuke and pave is the solution, and keep it off the Internet until all patches are applied.
I remember the earlier versions of Exchange server (prior to OWA), where MS
strongly recommended that the Exchange server NOT be Internet facing. We used a Linux machine as our MX, which forwarded mail to and from the internal Exchange server.
When in doubt, mumble March 30, 2021, 09:17 AM
AUTiger89quote:
Originally posted by henryaz:
quote:
Originally posted by AUTiger89:
No, I wasn't. Ugh.
But I kept my servers updated.
Thousands were compromised before MS could get the patches out. Also in the brief period before patches were applied. Many have been hacked by multiple hacking groups. There are still many out there that are unpatched.
The compromise gives the hacker complete Administrative access to the server. ASFAIK, nuke and pave is the solution, and keep it off the Internet until all patches are applied.
I remember the earlier versions of Exchange server (prior to OWA), where MS
strongly recommended that the Exchange server NOT be Internet facing. We used a Linux machine as our MX, which forwarded mail to and from the internal Exchange server.
Yep, that's what I'm finding. Nothing I have tried has worked yet, but I'm still working on it.
Looks like we're going to have to move to an e-mail service provider.
Phone's ringing, Dude. March 30, 2021, 09:30 AM
DJ_BostonOS level, can you reapply the latest Service Pack and then retry .NET?
There is something good and motherly about Washington, the grand old benevolent National Asylum for the helpless.
- Mark Twain The Gilded Age
#CNNblackmail #CNNmemewar
March 30, 2021, 09:40 AM
smschulzIt is unlikely that a hack is causing this.
However, since this can ver very involved with many variables I ws hesitant to offer a solution.
I did find this in a Google search (in the olden days we were give CD's and then DVD's with KB on them called Technet) but I digress:
https://info.summit7systems.co...-patch-fix-kb4045655There are other online sources too.
Good Luck
March 30, 2021, 04:59 PM
BamaJeepsterWe moved away from on premise so long ago I don't have any relevant info that would be helpful and like smschulz says, there are so many variables it would be almost impossible to go back and forth in this format and be of any help. However, on this point
quote:
Originally posted by AUTiger89:
Looks like we're going to have to move to an e-mail service provider.
When you switch to O365 (or any provider), make sure you enable multifactor authentication or you
will get compromised within the first few weeks of conversion. I've seen it first hand multiple times - don't let your users complaints and bellyaches sway you - suck it up and do it from the get go and they will get used to it, otherwise go ahead and brush off your breach response plan because it will happen sooner rather than later.
“Facts are stubborn things; and whatever may be our wishes, our inclinations, or the dictates of our passions, they cannot alter the state of facts and evidence.”
- John Adams March 31, 2021, 03:09 PM
AUTiger89Okay, so I was never able to get any of Microsoft's mitigation steps to work, so we migrated to Office 365. All we have left is to import our old Exchange EDB file.
Man, what an exhausting few days.
Thanks for all the help and advice, everyone!
Phone's ringing, Dude.