how to check if sbs server is compromised or not
HI, i am suspecting that sbs server has been compromised
is there any way to check to be sure if this server is compromised
Regards this, some question :
1) is there any where sbs server keep log who is logging to the server ?? ( because Everyday i get a report from server ( Server performance report), and i have noticed the following :
Security 529 09/10/2008 00:52 704 *
Logon Failure:
Reason: Unknown user name or bad password
User Name: inna
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: SBS
Caller User Name: SBS$
Caller Domain: ourdomain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2324
Transited Services: -
Source Network Address: -
Source Port: -
why is saying, workstaion name and caller username = SBS ??what happended if any one succesfull to logon ?? how will i know ?
2) if i use outlook to send email i know it goes via exchange server, but some one said, spyware can bypass exchange server and can send email , is there anyway to check how many email is going out from my server authorizid and unautorized ??
its making me mad, please advise me
Note : we have sophos antivirus, i have checked with sophos , its cleared.
if you attached picture of my Event log
please have look , does this log mean, email has been sent ??
smtp.GIF
is there any way to check to be sure if this server is compromised
Regards this, some question :
1) is there any where sbs server keep log who is logging to the server ?? ( because Everyday i get a report from server ( Server performance report), and i have noticed the following :
Security 529 09/10/2008 00:52 704 *
Logon Failure:
Reason: Unknown user name or bad password
User Name: inna
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: SBS
Caller User Name: SBS$
Caller Domain: ourdomain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2324
Transited Services: -
Source Network Address: -
Source Port: -
why is saying, workstaion name and caller username = SBS ??what happended if any one succesfull to logon ?? how will i know ?
2) if i use outlook to send email i know it goes via exchange server, but some one said, spyware can bypass exchange server and can send email , is there anyway to check how many email is going out from my server authorizid and unautorized ??
its making me mad, please advise me
Note : we have sophos antivirus, i have checked with sophos , its cleared.
if you attached picture of my Event log
please have look , does this log mean, email has been sent ??
smtp.GIF
Here is the problem. Your SBS server is accessible by the outside world. This means that every script kiddie in the world is going to try to use some script or brute force attack to see if they can penetrate your server environment.
I recommend taking a look at the following EE PAQ'd Solution to give you an idea of what you can do to reduce or even prevent attacks of this nature...
https://www.experts-exchange.com/questions/23721698/Unknown-user-name-or-bad-password.html
I recommend taking a look at the following EE PAQ'd Solution to give you an idea of what you can do to reduce or even prevent attacks of this nature...
https://www.experts-exchange.com/questions/23721698/Unknown-user-name-or-bad-password.html
ASKER
Hi thanks
i have check that expert-exchange link and the forum, about using that software i will have to use those, but i will come back to you on that issue .
but i want to understand -
First of all, i checked exchage server by dnsstuff and aubse.net , its not open realy
Second : the picture i have attahced what do you think of this picture ?? is my server realying email ??
Can spy ware bypass exchange server and send email out side ??
i have check that expert-exchange link and the forum, about using that software i will have to use those, but i will come back to you on that issue .
but i want to understand -
First of all, i checked exchage server by dnsstuff and aubse.net , its not open realy
Second : the picture i have attahced what do you think of this picture ?? is my server realying email ??
Can spy ware bypass exchange server and send email out side ??
A quick way to find out if your Exchange environment is setup as a mail relay:
http://www.mxtoolbox.com/diagnostic.aspx
---
One thing you need to be aware of Anti-Virus software on a SBS server. Make sure it is not scanning the Exchange partition or its databases. This is a sure way to corrupt your Exchange databases.
If you need anti-virus/anti-spyware for your Exchange server, I recommend getting an application that was specifically designed to protect it. I, personally, recommend Kaspersky as it is easy to install and configure for both the server, exchange and all workstations on the domain.
Kaspersky Enterprise Space Security
http://usa.kaspersky.com/products_services/enterprise-space-security.php
http://www.mxtoolbox.com/diagnostic.aspx
---
One thing you need to be aware of Anti-Virus software on a SBS server. Make sure it is not scanning the Exchange partition or its databases. This is a sure way to corrupt your Exchange databases.
If you need anti-virus/anti-spyware for your Exchange server, I recommend getting an application that was specifically designed to protect it. I, personally, recommend Kaspersky as it is easy to install and configure for both the server, exchange and all workstations on the domain.
Kaspersky Enterprise Space Security
http://usa.kaspersky.com/products_services/enterprise-space-security.php
ASKER
as i said, i have check with dnsstuff and aubse.net it say that its not open realy , how ever as you advised i checked with with mxtoolbox
here is the result
RCPT TO: <test@mxtoolbox.com>
550 5.7.1 Unable to relay for test@mxtoolbox.com [5141 ms]
that mean its not open realy. is not it ??
but still i want to k now , the picture i have attached, what does it mean ?? any one successfuly sent or not ??
here is the result
RCPT TO: <test@mxtoolbox.com>
550 5.7.1 Unable to relay for test@mxtoolbox.com [5141 ms]
that mean its not open realy. is not it ??
but still i want to k now , the picture i have attached, what does it mean ?? any one successfuly sent or not ??
If you look closely in the picture, it states '550 5.7.1 Unable to relay...' this means that an outside script kiddie attempted to use your server as a relay, but failed miserably -- so you are protected from the open relay issue.
As for the external user login/password 'attacks' to your system, the only thing I can recommend is setting up an IDS between your router and SBS server network infrastructure. This way, you can help reduce the number of attempts and even block them before reaching your site.
As for the external user login/password 'attacks' to your system, the only thing I can recommend is setting up an IDS between your router and SBS server network infrastructure. This way, you can help reduce the number of attempts and even block them before reaching your site.
ASKER
ok i was thinking that aswell. but thanks for conferming .
now one more question : can spyware bypass exchange server and can send email ?? if they can , is there any way to track that ??
now one more question : can spyware bypass exchange server and can send email ?? if they can , is there any way to track that ??
ASKER
and also, check this comments :
Check your queues to make sure that your server is not sending an NDR to the domain from where the email originated. I have this same issue on my server where relaying is denied. However, if someone send an email to nosuchuser@domain.com, Exchange will automatically attmpt to NDR back to the originator. This does not indicate RELAY SPAM. Just NORMAL SPAM.
so , if my server reply to those ndr then that mean one way my server is doing spamming is not it ?? and for that reason , it could be on spam list, is that right ??
Check your queues to make sure that your server is not sending an NDR to the domain from where the email originated. I have this same issue on my server where relaying is denied. However, if someone send an email to nosuchuser@domain.com, Exchange will automatically attmpt to NDR back to the originator. This does not indicate RELAY SPAM. Just NORMAL SPAM.
so , if my server reply to those ndr then that mean one way my server is doing spamming is not it ?? and for that reason , it could be on spam list, is that right ??
Unless you are using your SBS server for browsing the Internet directly or have installed a mail client on your SBS server, then its highly unlikely you will get infected by spyware on the server environment.
Now, if your SBS server is setup in dual NIC configuration (i.e. acting as the firewall/router), it then depends on if you have a real-time network level anti-virus/anti-spyware application installed on the SBS server or on a separate appliance in between the SBS server and the external network environment.
Now, if your SBS server is setup in dual NIC configuration (i.e. acting as the firewall/router), it then depends on if you have a real-time network level anti-virus/anti-spyware application installed on the SBS server or on a separate appliance in between the SBS server and the external network environment.
ASKER
NO , we dont browse from server, and also no mail client is installed, so i can eliminate this idea that it has been effected by spyware, and we are using shopos as real time antivirus
what about the NDR - this would be my last question for this problem then i will close this one
what about the NDR - this would be my last question for this problem then i will close this one
Sending an NDR back to the spammer can possibly get your domain blacklisted, as some spammers (or their spambots) are using compromised systems to do their dirty work for them. Here is a good article to read over when it comes to blacklists...
How to Avoid Being Blacklisted
http://www.howtoforge.com/how_to_avoid_being_blacklisted
I also recommend that you take a look at this article for setting up IMF and an RBL check on your Exchange environment to help reduce the amount of this 'broadcast' spam...
http://www.petri.co.il/block_spam_with_exchange_2003.htm
How to Avoid Being Blacklisted
http://www.howtoforge.com/how_to_avoid_being_blacklisted
I also recommend that you take a look at this article for setting up IMF and an RBL check on your Exchange environment to help reduce the amount of this 'broadcast' spam...
http://www.petri.co.il/block_spam_with_exchange_2003.htm
ASKER
while i check those link
please have a look at this question
https://www.experts-exchange.com/questions/23802401/exchange-domain-configuraiton.html
please have a look at this question
https://www.experts-exchange.com/questions/23802401/exchange-domain-configuraiton.html
ASKER
i follwed this link before :
http://support.microsoft.com/kb/909005/en-us
and i did everthing what saying in under this :Recipient filtering is only available in Exchange Server 2003.
so that mean, if my server received any ndr, it will not reply to those , is that right ??
http://support.microsoft.com/kb/909005/en-us
and i did everthing what saying in under this :Recipient filtering is only available in Exchange Server 2003.
so that mean, if my server received any ndr, it will not reply to those , is that right ??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok i have checked that tutorial
but if i followed as that tutorial said, does it mean , my server will not answer to those ndr and my server would be safe from spam block list ??
but if i followed as that tutorial said, does it mean , my server will not answer to those ndr and my server would be safe from spam block list ??
Yes
ASKER
thanks
No problem. Glad I could help.
-- Michael
-- Michael
but this is bizarre because I also had a user called inna trying to hack into my server. very confusing