dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2851

workablob
join:2004-06-09
Houston, TX

workablob

Member

Exchange Server Hacked

I have been running Exchange 2003 on a Server 2003 SP2 for years and over the last day or two I noticed I was not receiving mail and people were not receiving mine.

I noticed the SMTP service (inetinfo.exe) was using an inordinate amount of ram.

A reboot temporarily fixed it but it came back.

I discovered my outbound queue had 50K messages.

I have been through the Open-Relay hardening process already and am running on port 587 with Comcast SMTP as a smart host..

In the 'Current Sessions' under SMTP Server I found three dubious usernames like kkhkgy, or hfbrr.

I kicked them off but of course they came right back.

The one option I had to uncheck was under Access/Relay/Allow all users who successfully authenticate to relay.

I already had it restricted to my lan subnet.

I went ahead and stopped SMTP, Renamed the queue folder and restarted with a fresh queue.

I think I'm good but unfortunately Comcast did not take kindly to the flood of E-Mail from me and disabled my sending privileges for the remainder of the day.

I think I might have exceeded the 1000 message limit

Oh well, another learning experience.

Blob
tomdlgns
Premium Member
join:2003-03-21

tomdlgns

Premium Member

create a firewall rule to block the email port from all LAN computers

create another firewall rule to allow your exchange server to send on the email port

i don't know if your server was compromised from the LAN or the WAN, but i think those rules are best practice.

craig70130
Premium Member
join:2004-04-27
New Orleans, LA

craig70130

Premium Member

If the messages are showing in the Outbound queue, the server itself is doing the sending so the firewall rule won't help in this case but it's a good thing to do.

I would suspect malware on a PC causing the problems assuming you truly aren't an open relay.
tomdlgns
Premium Member
join:2003-03-21

tomdlgns

Premium Member

gotcha, good point.

all he would need to do is block port 25, correct? a compromised computer wouldn't try to send using a secure port(s), would it?

craig70130
Premium Member
join:2004-04-27
New Orleans, LA

craig70130

Premium Member

The point being that a compromised computer may be sending crap via the Exchange server. Since the user is authenticated, the server is accepting the message.

workablob
join:2004-06-09
Houston, TX

workablob to tomdlgns

Member

to tomdlgns
The Connected Sessions were all from outside as the IPs were all Internet Routable.

Thanks,

Blob
tomdlgns
Premium Member
join:2003-03-21

tomdlgns

Premium Member

can you lookup the IPs to see who they belong to? is it a block? i'd start by blocking access to those IPs in your firewall if you still see this happening in the next few days.

dennismurphy
Put me on hold? I'll put YOU on hold
Premium Member
join:2002-11-19
Parsippany, NJ

dennismurphy to workablob

Premium Member

to workablob
How did they authenticate against your exchange server?

I'd be a lot more concerned that just shutting down smtp services.

workablob
join:2004-06-09
Houston, TX

workablob

Member

said by dennismurphy:

How did they authenticate against your exchange server?

That's what I am wondering.

Blob
workablob

workablob to tomdlgns

Member

to tomdlgns
The have not returned since I unchecked 'Allow all computers that successfully authenticate...'.

If I see them again I sure will.

Blob

Nightfall
My Goal Is To Deny Yours
MVM
join:2001-08-03
Grand Rapids, MI

Nightfall to workablob

MVM

to workablob
Something else you may have to do is to check blacklists to make sure that your SMTP server address wasn't blacklisted. This has happened before when it comes to things like this. Getting off those blacklists will take some effort, but its worth seeing if your server has been blacklisted due to spam.

urbanriot
Premium Member
join:2004-10-18
Canada

urbanriot to workablob

Premium Member

to workablob
said by workablob:

I discovered my outbound queue had 50K messages.

I have been through the Open-Relay hardening process already and am running on port 587 with Comcast SMTP as a smart host..

Yea, that's the most common experience I have with growing sites that haven't appropriately locked down their server yet went for years and years without issue.
said by workablob:

The Connected Sessions were all from outside as the IPs were all Internet Routable.

Make sure these aren't bounceback messages! Your issue could still be internal...

workablob
join:2004-06-09
Houston, TX

workablob to Nightfall

Member

to Nightfall
Yeah, been there done that bought the tee shirt with my work exchange servers.

Thankfully Comcast shuts off your sending privileges after 1000 Emails per day.

These scammers never got more than 1000 emails per day.

I will check though for sure.

Blob
workablob

workablob to urbanriot

Member

to urbanriot
I've been monitoring the queues and they have not reconnected and the outbound queue is normal.

Thank you for the advice my friend

I can use all I can get.

Blob
Moffetts
join:2005-05-09
San Mateo, CA

Moffetts to workablob

Member

to workablob
Have you checked AD for any unauthorized accounts?

workablob
join:2004-06-09
Houston, TX

workablob

Member

said by Moffetts:

Have you checked AD for any unauthorized accounts?

Yes, there are none.

So, time to change all the passwords.

a few years ago I renamed the main admin account to something non-admin looking and disabled it.

Thanks for your input Oedipus.

Blob

exocet_cm
Writing
Premium Member
join:2003-03-23
Brooklyn, NY

exocet_cm

Premium Member

said by workablob:

said by Moffetts:

Have you checked AD for any unauthorized accounts?

Yes, there are none.

So, time to change all the passwords.

a few years ago I renamed the main admin account to something non-admin looking and disabled it.

Thanks for your input Oedipus.

Blob

When I rebuilt my lab domain, I configured account-specific services to run on their own domain account (example: VCTRSVC for vCenter services, SQLSVC for SQL server services, etc) instead of using the "administrator" account.

Using group policy (refreshed every 10 minutes), I have the "administrator" account password set with GPP and set a GPP to delete everything in the local administrators group on each server/workstation. Changing the local admin password on all lab servers (about 20) and my workstations (4) is as easy as changing the AD DS "administrator" password.

If you aren't managing your local administrator account this way, something to think about.

workablob
join:2004-06-09
Houston, TX

workablob

Member

What is GPP?

I run all my services with individual service accounts.

Administrator is obscured and disabled.

Thanks for the info.

Blob

exocet_cm
Writing
Premium Member
join:2003-03-23
Brooklyn, NY

exocet_cm

Premium Member

Click for full size
said by workablob:

What is GPP?

I run all my services with individual service accounts.

Administrator is obscured and disabled.

Thanks for the info.

Blob

Group Policy Preferences.

workablob
join:2004-06-09
Houston, TX

workablob

Member

I had the G and P but not the last P.

I use those at work but we are on 2008. Is there and ADM I can import on 2003?

I didn't think so but what do I know

Thanks

Blob

exocet_cm
Writing
Premium Member
join:2003-03-23
Brooklyn, NY

exocet_cm

Premium Member

It's been a minute since I've been in the trenches that is 2003. I don't recall/can't remember.

workablob
join:2004-06-09
Houston, TX

workablob

Member

I would be running 2008 R2 but my proliant G3 is only 32 bit.

But, it was free.

Blob
JoelC707
Premium Member
join:2002-07-09
Lanett, AL

JoelC707

Premium Member

You could run 2008, if you have it. It was the last server OS to support 32-bit. I'm not sure if 2003 supports GPP or not, haven't run that in several years (I still have a 2003 server or two but not as DCs).

workablob
join:2004-06-09
Houston, TX

workablob

Member

I guess I just blocked 2008 out since I wanted R2 but I may hust do that.

NO, I WILL do that.

Thanks for that!



Blob

PS Now I writing a script to monitor the queue and if the files there exceed 100 I get an email, smtpsvc is stopped and it is logged.

izy
MVM
join:2000-09-21
endless loop
ProCurve (HP) V1810-24g
SonicWALL TZ215
Ubiquiti UniFi AP-LR

izy to workablob

MVM

to workablob
said by workablob:

I found three dubious usernames like kkhkgy, or hfbrr.

Do you have RDP open to the server?

workablob
join:2004-06-09
Houston, TX

workablob

Member

Only on the local lan. Not via the Internet.

Blob

PToN
Premium Member
join:2001-10-04
Houston, TX

PToN to JoelC707

Premium Member

to JoelC707
I think the GPP can be installed as an add-on...
PToN

PToN to workablob

Premium Member

to workablob
Well, what about cellphones? If they are using your email server then the connections would all be from the outside...

workablob
join:2004-06-09
Houston, TX

workablob

Member

said by PToN:

Well, what about cellphones? If they are using your email server then the connections would all be from the outside...

The connections were coming from outside IP addresses.

Blob

PToN
Premium Member
join:2001-10-04
Houston, TX

PToN

Premium Member

Yes, if the cellphone is using a 3G/4G connection, it would be an outside IP. This is what it looks like in my server when someone is using a cellphone:
 192.168.50.22:993       76.30.109.197:37059     ESTABLISHED
 

If i terminate the connection, it will comeback once the client checks for email again...

Maybe i missed something, if so, my apologies.