|
Exchange Server HackedI have been running Exchange 2003 on a Server 2003 SP2 for years and over the last day or two I noticed I was not receiving mail and people were not receiving mine. I noticed the SMTP service (inetinfo.exe) was using an inordinate amount of ram. A reboot temporarily fixed it but it came back. I discovered my outbound queue had 50K messages. I have been through the Open-Relay hardening process already and am running on port 587 with Comcast SMTP as a smart host.. In the 'Current Sessions' under SMTP Server I found three dubious usernames like kkhkgy, or hfbrr. I kicked them off but of course they came right back. The one option I had to uncheck was under Access/Relay/Allow all users who successfully authenticate to relay. I already had it restricted to my lan subnet. I went ahead and stopped SMTP, Renamed the queue folder and restarted with a fresh queue. I think I'm good but unfortunately Comcast did not take kindly to the flood of E-Mail from me and disabled my sending privileges for the remainder of the day. I think I might have exceeded the 1000 message limit Oh well, another learning experience. Blob |
|
|
tomdlgns
Premium Member
2013-Oct-4 4:24 pm
create a firewall rule to block the email port from all LAN computers
create another firewall rule to allow your exchange server to send on the email port
i don't know if your server was compromised from the LAN or the WAN, but i think those rules are best practice. |
|
craig70130 Premium Member join:2004-04-27 New Orleans, LA |
If the messages are showing in the Outbound queue, the server itself is doing the sending so the firewall rule won't help in this case but it's a good thing to do.
I would suspect malware on a PC causing the problems assuming you truly aren't an open relay. |
|
|
tomdlgns
Premium Member
2013-Oct-4 4:30 pm
gotcha, good point.
all he would need to do is block port 25, correct? a compromised computer wouldn't try to send using a secure port(s), would it? |
|
craig70130 Premium Member join:2004-04-27 New Orleans, LA |
The point being that a compromised computer may be sending crap via the Exchange server. Since the user is authenticated, the server is accepting the message. |
|
|
to tomdlgns
The Connected Sessions were all from outside as the IPs were all Internet Routable.
Thanks,
Blob |
|
|
tomdlgns
Premium Member
2013-Oct-4 5:23 pm
can you lookup the IPs to see who they belong to? is it a block? i'd start by blocking access to those IPs in your firewall if you still see this happening in the next few days. |
|
dennismurphyPut me on hold? I'll put YOU on hold Premium Member join:2002-11-19 Parsippany, NJ |
to workablob
How did they authenticate against your exchange server?
I'd be a lot more concerned that just shutting down smtp services. |
|
|
|
said by dennismurphy:How did they authenticate against your exchange server? That's what I am wondering. Blob |
|
workablob |
to tomdlgns
The have not returned since I unchecked 'Allow all computers that successfully authenticate...'.
If I see them again I sure will.
Blob |
|
NightfallMy Goal Is To Deny Yours MVM join:2001-08-03 Grand Rapids, MI |
to workablob
Something else you may have to do is to check blacklists to make sure that your SMTP server address wasn't blacklisted. This has happened before when it comes to things like this. Getting off those blacklists will take some effort, but its worth seeing if your server has been blacklisted due to spam. |
|
|
to workablob
said by workablob:I discovered my outbound queue had 50K messages.
I have been through the Open-Relay hardening process already and am running on port 587 with Comcast SMTP as a smart host.. Yea, that's the most common experience I have with growing sites that haven't appropriately locked down their server yet went for years and years without issue. said by workablob:The Connected Sessions were all from outside as the IPs were all Internet Routable. Make sure these aren't bounceback messages! Your issue could still be internal... |
|
|
to Nightfall
Yeah, been there done that bought the tee shirt with my work exchange servers.
Thankfully Comcast shuts off your sending privileges after 1000 Emails per day.
These scammers never got more than 1000 emails per day.
I will check though for sure.
Blob |
|
workablob |
to urbanriot
I've been monitoring the queues and they have not reconnected and the outbound queue is normal. Thank you for the advice my friend I can use all I can get. Blob |
|
|
to workablob
Have you checked AD for any unauthorized accounts? |
|
|
said by Moffetts:Have you checked AD for any unauthorized accounts? Yes, there are none. So, time to change all the passwords. a few years ago I renamed the main admin account to something non-admin looking and disabled it. Thanks for your input Oedipus. Blob |
|
exocet_cmWriting Premium Member join:2003-03-23 Brooklyn, NY |
said by workablob:said by Moffetts:Have you checked AD for any unauthorized accounts? Yes, there are none. So, time to change all the passwords. a few years ago I renamed the main admin account to something non-admin looking and disabled it. Thanks for your input Oedipus. Blob When I rebuilt my lab domain, I configured account-specific services to run on their own domain account (example: VCTRSVC for vCenter services, SQLSVC for SQL server services, etc) instead of using the "administrator" account. Using group policy (refreshed every 10 minutes), I have the "administrator" account password set with GPP and set a GPP to delete everything in the local administrators group on each server/workstation. Changing the local admin password on all lab servers (about 20) and my workstations (4) is as easy as changing the AD DS "administrator" password. If you aren't managing your local administrator account this way, something to think about. |
|
|
What is GPP?
I run all my services with individual service accounts.
Administrator is obscured and disabled.
Thanks for the info.
Blob |
|
exocet_cmWriting Premium Member join:2003-03-23 Brooklyn, NY |
said by workablob:What is GPP?
I run all my services with individual service accounts.
Administrator is obscured and disabled.
Thanks for the info.
Blob Group Policy Preferences. |
|
|
I had the G and P but not the last P. I use those at work but we are on 2008. Is there and ADM I can import on 2003? I didn't think so but what do I know Thanks Blob |
|
exocet_cmWriting Premium Member join:2003-03-23 Brooklyn, NY |
It's been a minute since I've been in the trenches that is 2003. I don't recall/can't remember. |
|
|
I would be running 2008 R2 but my proliant G3 is only 32 bit. But, it was free. Blob |
|
JoelC707 Premium Member join:2002-07-09 Lanett, AL |
JoelC707
Premium Member
2013-Oct-5 3:00 pm
You could run 2008, if you have it. It was the last server OS to support 32-bit. I'm not sure if 2003 supports GPP or not, haven't run that in several years (I still have a 2003 server or two but not as DCs). |
|
|
I guess I just blocked 2008 out since I wanted R2 but I may hust do that. NO, I WILL do that. Thanks for that! Blob PS Now I writing a script to monitor the queue and if the files there exceed 100 I get an email, smtpsvc is stopped and it is logged. |
|
izy MVM join:2000-09-21 endless loop ProCurve (HP) V1810-24g SonicWALL TZ215 Ubiquiti UniFi AP-LR
|
to workablob
said by workablob:I found three dubious usernames like kkhkgy, or hfbrr. Do you have RDP open to the server? |
|
|
Only on the local lan. Not via the Internet.
Blob |
|
PToN Premium Member join:2001-10-04 Houston, TX |
to JoelC707
I think the GPP can be installed as an add-on... |
|
PToN |
to workablob
Well, what about cellphones? If they are using your email server then the connections would all be from the outside... |
|
|
said by PToN:Well, what about cellphones? If they are using your email server then the connections would all be from the outside... The connections were coming from outside IP addresses. Blob |
|
PToN Premium Member join:2001-10-04 Houston, TX |
PToN
Premium Member
2013-Oct-8 5:26 pm
Yes, if the cellphone is using a 3G/4G connection, it would be an outside IP. This is what it looks like in my server when someone is using a cellphone: 192.168.50.22:993 76.30.109.197:37059 ESTABLISHED
If i terminate the connection, it will comeback once the client checks for email again... Maybe i missed something, if so, my apologies. |
|