Reviews:
 ·Comcast
| Exchange Server Hacked I have been running Exchange 2003 on a Server 2003 SP2 for years and over the last day or two I noticed I was not receiving mail and people were not receiving mine.
I noticed the SMTP service (inetinfo.exe) was using an inordinate amount of ram.
A reboot temporarily fixed it but it came back.
I discovered my outbound queue had 50K messages.
I have been through the Open-Relay hardening process already and am running on port 587 with Comcast SMTP as a smart host..
In the 'Current Sessions' under SMTP Server I found three dubious usernames like kkhkgy, or hfbrr.
I kicked them off but of course they came right back.
The one option I had to uncheck was under Access/Relay/Allow all users who successfully authenticate to relay.
I already had it restricted to my lan subnet.
I went ahead and stopped SMTP, Renamed the queue folder and restarted with a fresh queue.
I think I'm good but unfortunately Comcast did not take kindly to the flood of E-Mail from me and disabled my sending privileges for the remainder of the day.
I think I might have exceeded the 1000 message limit 
Oh well, another learning experience.
Blob
--
I may have been born yesterday. But it wasn't at night. |
|
|
|
tomdlgnsPremium
join:2003-03-21
Chicago, IL
kudos:1 | create a firewall rule to block the email port from all LAN computers
create another firewall rule to allow your exchange server to send on the email port
i don't know if your server was compromised from the LAN or the WAN, but i think those rules are best practice. |
|
| If the messages are showing in the Outbound queue, the server itself is doing the sending so the firewall rule won't help in this case but it's a good thing to do.
I would suspect malware on a PC causing the problems assuming you truly aren't an open relay. |
|
tomdlgnsPremium
join:2003-03-21
Chicago, IL
kudos:1 | gotcha, good point.
all he would need to do is block port 25, correct? a compromised computer wouldn't try to send using a secure port(s), would it? |
|
| The point being that a compromised computer may be sending crap via the Exchange server. Since the user is authenticated, the server is accepting the message. |
|
| reply to tomdlgns
The Connected Sessions were all from outside as the IPs were all Internet Routable.
Thanks,
Blob
--
I may have been born yesterday. But it wasn't at night. |
|
tomdlgnsPremium
join:2003-03-21
Chicago, IL
kudos:1 | can you lookup the IPs to see who they belong to? is it a block? i'd start by blocking access to those IPs in your firewall if you still see this happening in the next few days. |
|
 dennismurphyPut me on hold? I'll put YOU on holdPremium
join:2002-11-19
Parsippany, NJ | reply to workablob
How did they authenticate against your exchange server?
I'd be a lot more concerned that just shutting down smtp services. |
|
Reviews:
·Comcast
| said by dennismurphy:How did they authenticate against your exchange server? That's what I am wondering.
Blob
--
I may have been born yesterday. But it wasn't at night. |
|
| reply to tomdlgns
The have not returned since I unchecked 'Allow all computers that successfully authenticate...'.
If I see them again I sure will.
Blob
--
I may have been born yesterday. But it wasn't at night. |
|
 NightfallMy Goal Is To Deny YoursPremium,MVM
join:2001-08-03
Grand Rapids, MI
·Comcast
 ·ooma
·Callcentric
 ·Site5.com
| reply to workablob
Something else you may have to do is to check blacklists to make sure that your SMTP server address wasn't blacklisted. This has happened before when it comes to things like this. Getting off those blacklists will take some effort, but its worth seeing if your server has been blacklisted due to spam.
--
My domain - Nightfall.net |
|
Reviews:
·Cogeco Cable
| reply to workablob
said by workablob:I discovered my outbound queue had 50K messages.
I have been through the Open-Relay hardening process already and am running on port 587 with Comcast SMTP as a smart host.. Yea, that's the most common experience I have with growing sites that haven't appropriately locked down their server yet went for years and years without issue.
said by workablob:The Connected Sessions were all from outside as the IPs were all Internet Routable.
Make sure these aren't bounceback messages! Your issue could still be internal... |
|
Reviews:
·Comcast
| reply to Nightfall
Yeah, been there done that bought the tee shirt with my work exchange servers.
Thankfully Comcast shuts off your sending privileges after 1000 Emails per day.
These scammers never got more than 1000 emails per day.
I will check though for sure.
Blob
--
I may have been born yesterday. But it wasn't at night. |
|
Reviews:
·Comcast
| reply to urbanriot
I've been monitoring the queues and they have not reconnected and the outbound queue is normal.
Thank you for the advice my friend 
I can use all I can get.
Blob
--
I may have been born yesterday. But it wasn't at night. |
|
| reply to workablob
Have you checked AD for any unauthorized accounts? |
|
Reviews:
·Comcast
| said by Oedipus:Have you checked AD for any unauthorized accounts?
Yes, there are none.
So, time to change all the passwords.
a few years ago I renamed the main admin account to something non-admin looking and disabled it.
Thanks for your input Oedipus.
Blob
--
I may have been born yesterday. But it wasn't at night. |
|
 exocet_cmI am the law - Judge DreddPremium
join:2003-03-23
New Orleans, LA
kudos:2 | said by workablob:said by Oedipus:Have you checked AD for any unauthorized accounts?
Yes, there are none. So, time to change all the passwords. a few years ago I renamed the main admin account to something non-admin looking and disabled it. Thanks for your input Oedipus. Blob When I rebuilt my lab domain, I configured account-specific services to run on their own domain account (example: VCTRSVC for vCenter services, SQLSVC for SQL server services, etc) instead of using the "administrator" account.
Using group policy (refreshed every 10 minutes), I have the "administrator" account password set with GPP and set a GPP to delete everything in the local administrators group on each server/workstation. Changing the local admin password on all lab servers (about 20) and my workstations (4) is as easy as changing the AD DS "administrator" password.
If you aren't managing your local administrator account this way, something to think about.
--
"All newspaper editorial writers ever do is come down from the hills after the battle is over and shoot the wounded." - Bruce Anderson
"I have often regretted my speech, never my silence." - Xenocrates
Check out my blog: »www.johndball.com |
|
| What is GPP?
I run all my services with individual service accounts.
Administrator is obscured and disabled.
Thanks for the info.
Blob
--
I may have been born yesterday. But it wasn't at night. |
|
exocet_cmI am the law - Judge DreddPremium
join:2003-03-23
New Orleans, LA
kudos:2 | said by workablob:What is GPP?
I run all my services with individual service accounts.
Administrator is obscured and disabled.
Thanks for the info.
Blob
Group Policy Preferences. |
|
Reviews:
·Comcast
| I had the G and P but not the last P.
I use those at work but we are on 2008. Is there and ADM I can import on 2003?
I didn't think so but what do I know
Thanks
Blob
--
I may have been born yesterday. But it wasn't at night. |
|
exocet_cmI am the law - Judge DreddPremium
join:2003-03-23
New Orleans, LA
kudos:2 | It's been a minute since I've been in the trenches that is 2003. I don't recall/can't remember. |
|
| I would be running 2008 R2 but my proliant G3 is only 32 bit. 
But, it was free.
Blob
--
I may have been born yesterday. But it wasn't at night. |
|
