drax Posted August 25, 2004 Share Posted August 25, 2004 We were recently reported that spam was originating from our Mail Server (SpamCop list) and have subsequently investigated that we may have been compromised by the Exchange 2000/SMTP Auth Exploit. I have run the following checklist: 1. Double checked we are not an open relay 2. Closed relaying completely. I have unticked the "Allow all comuters which succesfully authenticate to relay, regardless of the list above" and entered the internal IP address of our mail server into the list of computers granted relay permission. 3. Checked the mail server is up to date with Windows/exchange patches. 4. Changed the administrator account username and password. 5. Enforced a new password policy of our users at next password change point. According to the following article : A New Kind Of Attack I should be looking out for Event ID 528's, of which I have seen none. It says I should also enable "account object auditing" but is a tad unclear about what I should be auditing as the Windows security logs are full of audits of mailbox/folder access auditing. However, I cannot see anything in the security log relating to the SMTP virtual server access. Where should I be looking for this? Anyway, despite all these changes we have made I still notice the occasional entry in out message tracking log files of messages that look like their being relayed through our mail server. How is this possible? I have noticed that all our genuine looking external mail in these logs has a full dns domain name in the Client-hostname field yet the suspect looking mail has names such as "popularly" (203.81.238.82) and "screamer" (61.53.30.201). If anyone could shed some light on the situation Id be extremely gratefull Link to comment Share on other sites More sharing options...
Wazoo Posted August 25, 2004 Share Posted August 25, 2004 For the first quick response .. while you're waiting for a more definitive answer .. I'm going to start with this; 4. Changed the administrator account username and password. 5. Enforced a new password policy of our users at next password change point. What was not said there is that you have actually gone through and verified that ALL accounts are valid and authorized. Just requiring a new password at next login wouldn't stop anything or anyone from just marching on as before. Have you yet gone through the FAQ, other Topics in this Forum? There are a number of issues with putting an Exchange server directly on the Internet, thus the numerous other discussions and FAQ entries dealing with just this situation. Link to comment Share on other sites More sharing options...
Merlyn Posted August 25, 2004 Share Posted August 25, 2004 What was not said there is that you have actually gone through and verified that ALL accounts are valid and authorized. Just requiring a new password at next login wouldn't stop anything or anyone from just marching on as before. 15764[/snapback] Sure it would, it would force the spammer that cracked it to change their password Link to comment Share on other sites More sharing options...
drax Posted August 25, 2004 Author Share Posted August 25, 2004 well, I plan to put a Unix/Linux box in between the exch server and the internet asap but in the meantime i thought their may be something else I had overlooked.... any ideas about where i should be looking for the SMTP Auth requests? many thanks ps: if the spammer has a valid passwrd for one of our usr accounts the smtp server will not prompt the usr to change the passwrd only directly logging into the windows domain would prompt this....... Link to comment Share on other sites More sharing options...
GraemeL Posted August 25, 2004 Share Posted August 25, 2004 if the spammer has a valid passwrd for one of our usr accounts the smtp server will not prompt the usr to change the passwrd only directly logging into the windows domain would prompt this....... 15771[/snapback] It's much more likely that the spammer would compromise a local role account on the Exchange server, rather than a domain account. For a role account, he only has to guess the password. For a domain account, he has to guess both the username and the password. I would double check all local role accounts on the Exchange box. Make sure Guest, Info and any other accounts that you don't log in on are disabled. Change the passwords on all the other local accounts, not just Administrator. Changing the names of local role accounts will also help increase your security. Link to comment Share on other sites More sharing options...
Merlyn Posted August 25, 2004 Share Posted August 25, 2004 Depending on what the linux box does it will not stop the smtp auth hack because the spammer is a legit user. This relaying does not show up using standard open relay test. They hacked a users/administrators/guests usercode and password. Did you check out: http://news.spamcop.net/cgi-bin/fom?file=372 http://www.winnetmag.com/article/articleid/40507/40507.html http://www.winnetmag.com/article/articleid/42406/42406.html HTH. Link to comment Share on other sites More sharing options...
drax Posted August 25, 2004 Author Share Posted August 25, 2004 thanks for the reply. the guest account was already disabled and ive re-configured the local admin account. However there are also a few local system accounts still active, is it safe to change these? Link to comment Share on other sites More sharing options...
GraemeL Posted August 25, 2004 Share Posted August 25, 2004 the guest account was already disabled and ive re-configured the local admin account. However there are also a few local system accounts still active, is it safe to change these? 15781[/snapback] I can't think of a reason that renaming the others would break anything, but I can't say I've tried it either. Any Windows server I've ever connected to the internet only had one active account, the renamed Administrator one. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.