My Windows 2008 server is attempting to send out a lot of spam, I've just discovered, and I'm not sure how to see where the compromise is. For example: has someone hacked an account? Has someone hacked the server? Is there a virus on the server?
What can I do to investigate this?
Edit
Thanks for the replies so far. I am running hMail server, and have spent so long investigating the correct configuration but still I end up with these emails being sent.
Here is a screenshot of my Internet
IP range settings on the server:
(let me know what else I can provide to help)
Whatever logging you can enable, enable. Then use simple statistical analysis on the logs (eg if you have a linux/unix box available and know basic sed/perl/awk, pry out all the originating IPs submitting mail and |sort|uniq -c them then treat that list with geoip-lookup... as politically incorrect as it sounds, the ips causing massive traffic from locations that completely defy the geological structure of your company ecosystem usually ARE what you need to further investigate.
what happened to your server not necessarily depends by a virus in it. Probably you only need to setup your smtp server to not accept incoming request to send email. In this way you can use it only locally. If you use the default IIS smtp server, go to control panel and then admin tools. Find Internet Information Services Manager and select smtp server. Click on Properties and, in Access tab, click on Connection control. Here you have to add your ip address and choose "Only the list below" to grant your ips. Do the same clicking Relay restrictions in the same Access tab.
I use win 2003 server, but I suppose it'll be quite the same.
Hope it serves...
If the server is actually a mail server, running exchange or some other mail product, then you really need to look at what the best practices are to restricting mail relaying. If it is a mail server then I'd recommend looking into how to restrict the # of recipients in a single message. I've set it as low as 5 while troubleshooting. This will usually let you troubleshoot your issue and not annoy your legit end users. If its not a mail server then just hop into your router and block outbound port 25 from the infected server and then start figuring out if its a hack or a virus.
If you can give us some more detail on the server we can probably tailor the answers a bit.