I've been hijacked! Relays

What follows is from my server log. In the past almost by default the server would stop relays and just state the relay function is configured out of your server. Now they got me. For the moment I have shut down the SMTP tasks but I need a fix as this server is going live next week. Sorry for the long paste below.10/09/2007 08:34:22 PM Network: Requesting IP Address for mx.KORNET.NET from DNS

10/09/2007 08:34:22 PM DIIOP Server: Started

10/09/2007 08:34:22 PM HTTP Server: Using Web Configuration View

10/09/2007 08:34:24 PM SchedMgr: Done validating Schedule Database

10/09/2007 08:34:24 PM Router: No messages transferred to KORNET.NET (host mx.KORNET.NET) via SMTP

10/09/2007 08:34:24 PM Router: No messages transferred to NATE.COM (host smtp.NATE.COM) via SMTP

10/09/2007 08:34:26 PM LDAP Schema: Finished loading

10/09/2007 08:34:27 PM JVM: Java Virtual Machine initialized.

10/09/2007 08:34:27 PM JVM: Java Virtual Machine initialized.

10/09/2007 08:34:27 PM HTTP Server: Java Virtual Machine loaded

10/09/2007 08:34:29 PM RunJava: Started lotus/notes/addins/changeman/ChangeMan Java task.

10/09/2007 08:34:30 PM HTTP Server: DSAPI Domino Off-Line Services HTTP extension Loaded successfully

10/09/2007 08:34:31 PM Router: No messages transferred to DREAMWIZ.COM (host mx-ra.DREAMWIZ.COM) via SMTP: SMTP Protocol Returned a Permanent Error

10/09/2007 08:34:31 PM LDAP Server: Started

10/09/2007 08:34:31 PM Router: Transferred 1 messages to FREECHAL.COM (host mx01.FREECHAL.COM) via SMTP

10/09/2007 08:34:31 PM Change Manager Executive: Domino Change Manager (Build 6048, 11/1/02)

10/09/2007 08:34:33 PM HTTP Server: Started

10/09/2007 08:34:33 PM Change Manager Executive: Initialization complete

10/09/2007 08:34:33 PM Change Manager Interface Monitor: Initialization complete

10/09/2007 08:34:33 PM Change Manager Robotic Administrator: Initialization complete

10/09/2007 08:34:33 PM Change Manager Plan Control: Initialization complete

10/09/2007 08:34:35 PM Router: No messages transferred to DREAMWIZ.COM (host mx-rb.DREAMWIZ.COM) via SMTP: SMTP Protocol Returned a Permanent Error

10/09/2007 08:34:36 PM Router: Transferred 1 messages to PARAN.COM (host mailex04.PARAN.COM) via SMTP

10/09/2007 08:34:39 PM Router: No messages transferred to KORNET.NET (host mx.KORNET.NET) via SMTP

10/09/2007 08:34:40 PM Router: No messages transferred to FREECHAL.COM (host mx01.FREECHAL.COM) via SMTP: SMTP Protocol Returned a Transient Error

10/09/2007 08:34:40 PM Router: No messages transferred to KORNET.NET (host mx.KORNET.NET) via SMTP

10/09/2007 08:34:42 PM Router: Transferred 1 messages to FREECHAL.COM (host mx01.FREECHAL.COM) via SMTP

10/09/2007 08:34:46 PM Finished updating usage statistics

10/09/2007 08:34:48 PM Router: Transferred 1 messages to HANANET.NET (host mx.hanafos.com) via SMTP

10/09/2007 08:34:49 PM Router: Transferred 1 messages to PARAN.COM (host mailex02.PARAN.COM) via SMTP

10/09/2007 08:34:50 PM Opened session for ceo/managementsoftwaresystems (Release 6.0.3)

10/09/2007 08:34:50 PM Closed session for ceo/managementsoftwaresystems|Databases accessed: 0 Documents read: 0 Documents written: 0

10/09/2007 08:34:50 PM Opened session for ceo/managementsoftwaresystems (Release 6.0.3)

10/09/2007 08:34:51 PM Opened session for ceo/managementsoftwaresystems (Release 6.0.3)

10/09/2007 08:34:51 PM Closed session for ceo/managementsoftwaresystems|Databases accessed: 2 Documents read: 1 Documents written: 0

10/09/2007 08:34:52 PM Router: Transferred 2 messages to HANAFOS.COM (host mx.HANAFOS.COM) via SMTP

10/09/2007 08:34:54 PM Router: No messages transferred to FREECHAL.COM (host mx01.FREECHAL.COM) via SMTP

10/09/2007 08:34:55 PM Router: No messages transferred to FREECHAL.COM (host mx01.FREECHAL.COM) via SMTP

Help!

Rick Bushey

rbushey@cfl.rr.com

Subject: I’ve been hijacked! Relays

Thank you. I used all of what you offered and had some things wrong. In the end there was a port configured for netBIOS over TCP/IP that I am still trying to figure out. It was shut down immediately of course. I had many SMTP tasks and Router tasks going on, and that led me to it.

Thanks again,

Rick

Subject: I’ve been hijacked! Relays

hi,

How your relay inbound control is configured ?

http://www-12.lotus.com/ldd/doc/domino_notes/7.0/help7_admin.nsf/855dc7fcfd5fec9a85256b870069c0ab/1f84fe85cce4e4088525706f0065cb96?OpenDocument&Highlight=0,relay

You can use blacklist filter Domino feature and stop external smtp connections of specific DNS such as FREECHAL.COM.

http://www-12.lotus.com/ldd/doc/domino_notes/7.0/help7_admin.nsf/855dc7fcfd5fec9a85256b870069c0ab/89f81991d5caaaed8525706f0065cbc7?OpenDocument&Highlight=0,blacklist

I hope have help you.

Moacyr Rodrigues Filho

http://workflow-by-moacyr.blogspot.com

IBM Certified Advanced System Administrator - Lotus Notes and Domino 7

IBM Certified Advanced Application Developer - Lotus Notes and Domino R5/6/6.5/7

Subject: RE: I’ve been hijacked! Relays

In addition to those links, this one should help, too:

http://chris-linfoot.net/d6plinks/CWLT-6R8P9S

And if that isn’t enough, this should do it:

http://chris-linfoot.net/d6plinks/CWLT-6YVJEL

Good luck.