Solved

Exchange 2003 Server hijacked, need help!

Posted on 2007-11-28
16
456 Views
Last Modified: 2013-11-30
This morning one of our users brought to my attention about 10,000 returned emails sent from his account.

My first assumption was that someone was spoofing his address and spamming, but upon further investigation I am thinking his account was hijacked.  

I found this in the event log this morning:
Special privileges assigned to new logon:
       User Name:      username
       Domain:            domain
       Logon ID:            (xxxxxxxxx)
       Privileges:      SeSecurityPrivilege
                  SeBackupPrivilege
                  SeRestorePrivilege
                  SeTakeOwnershipPrivilege
                  SeDebugPrivilege
                  SeSystemEnvironmentPrivilege
                  SeLoadDriverPrivilege
                  SeImpersonatePrivilege
                  SeEnableDelegationPrivilege

This was from about 4:45AM.  I am not sure what exactly this means, but I do know he was not working at that time.  At about 5AM the mail queues started filling up with outbound mail on our default smtp virtual server.

I have changed his account type and password, but I am not sure what else I need to do to make sure this issue is resolved.  I also need recommendations on settings to check to make sure our Exchange 2003 server is secure.

I am not an exchange expert, so please be nice.  However since this is an urgent issue for me I will be giving out 500 points.  

Thanks,
Jesse
0
Comment
Question by:thirdlifes
  • 9
  • 4
  • 2
  • +1
16 Comments
 
LVL 21

Expert Comment

by:dan_blagut
ID: 20366620
Well, the user had access to changing the group membership? Was that user an administrator?
This kind of message appear when an administrator log on.

Dan
0
 
LVL 1

Author Comment

by:thirdlifes
ID: 20366632
This user was an administrator.  The account is just a domain user as of this issue coming to light.

0
 
LVL 1

Author Comment

by:thirdlifes
ID: 20366985
It still seems like spam is being sent out from that users account.  Even though I changed the password.

Where would I check to see if I have an open relay?  
Another issue:
Seems that we are not getting incoming email from outside the office.  :\
0
 
LVL 5

Expert Comment

by:icorps
ID: 20367476
To determine where the spam is being sent from, view the headers of the bounced messages.  That should show the path the message took - if your server isn't listed, then it was likely generated outside your organization.

You could also turn on message tracking and view messages that have been sent to see if it is in fact coming from their account.
0
 
LVL 1

Author Comment

by:thirdlifes
ID: 20367597
Message Tracking is enabled and it does show thousands of emails being sent from this user with the subject line of Claim Now.



0
 
LVL 5

Expert Comment

by:icorps
ID: 20367611
First, make sure your server isn't a relay and then check that users system to see if its being sent from there.  
0
 
LVL 1

Author Comment

by:thirdlifes
ID: 20367655
I am not sure how to check if my server is relaying without having telnet access outside of our office.

In the SMTP Virtual Server properties under Access the relay restrictions are set 'Only the list below' and the list is empty.

It does seem that we are not getting inbound or outbound email at the moment.  So know I am wondering if there is a bigger issue at hand.

The event logs do not show any errors other than those failed outgoing spam attempts.
0
 
LVL 1

Author Comment

by:thirdlifes
ID: 20368766
Well at this point I believe the only spam getting sent out is rejected mail from earlier today.  
I can send email outside the office, but I cannot telnet in or send inbound mail from an outside account such as gmail.

Anyone have any thoughts?  I am really stumped.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 104

Expert Comment

by:Sembee
ID: 20369741
Very unusual for a user account to be targeted, unless the user has been careless with their password. The usual target is the administrator account for this type of attack.

Exchange ESM is notorious for not showing the true extent of the Exchange queues when the server has been attacked, so messages still being shown is not unusual.
I would suggest that you have a look at my spam cleanup article to begin with: http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0
 
LVL 1

Author Comment

by:thirdlifes
ID: 20369873
Sembee,

I actually found that article in another post earlier today and did try most of the steps and that is when I noticed we were unable to get incoming mail.  I am not sure if I screwed something up or if there is something else going on.

I have not been able to telnet into my mail server from outside account at all today.  That is another issue that I am stumped on.  All the DNS and PTR records look correct.

I am going to call my ISP right now to see if they have any suggestions.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20373383
Can you telnet to the server from inside your network? If you can then the ISP has probably blocked port 25 because you are spamming. If you cannot telnet to the server inside then you have probably changed something that you shouldn't have. A common issue is where people turn off anonymous permissions on the SMTP virtual directory.

Simon.
0
 
LVL 1

Author Comment

by:thirdlifes
ID: 20373640
Telnet internally seems to connect, but that is it.  The response I get is just a bunch of *****.
Then it just hangs.

I went through that entire article you wrote yesterday to try to take care of this issue, but it doesn't seem to be working.

The spam is actually being sent from a user's account here.  I determined that with the MSExchangeTransport events.

I changed the uses account type/password but it seems mail is still going out.   I then tried cleaning up the queues using a SMTP connector, but I do not think it worked. Is there suppose to be a folder/item in the queues with the same name as the smtp connector I created?

Sorry for all the questions but I pretty sure that we are still spamming.  :\

0
 
LVL 104

Expert Comment

by:Sembee
ID: 20373744
If you telnet internally and get a list of ********** then that isn't the Exchange server responding. That is most likely a Cisco PIX.
After changing the user's password, did you restart the SMTP Server service?

If the SMTP connector is working correctly then after the next retry time messages will appear in a single queue with the same name as the SMTP connector.

Simon.
0
 
LVL 1

Author Comment

by:thirdlifes
ID: 20373780
"If you telnet internally and get a list of ********** then that isn't the Exchange server responding. That is most likely a Cisco PIX."

We have a Fortinet managed router through our ISP, but we have not had issues with telnet internallly before.

"After changing the user's password, did you restart the SMTP Server service? "
Yep several times.

"
If the SMTP connector is working correctly then after the next retry time messages will appear in a single queue with the same name as the SMTP connector."

Maybe I didn't wait long enough.  But I set this up about 10 hours ago and have not seen a new queue.  I also restarted the SMTP service after setting this up.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 20374803
Exchange doesn't respond with *************

Normally you would see something like this:

220 mail.domain.net Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at
  Thu, 29 Nov 2007 16:22:25 +0000

The queues increase in time for the retry as the time increases, but after 10 hours you should have seen something. Although Exchange by default will timeout all the messages after 48 hours, so the messages may go on their own.

Simon.
0
 
LVL 1

Author Comment

by:thirdlifes
ID: 20375203
My ISP was also not able to telnet into our server, but they did make sure the ports were open to our mail server.

Email is working both in/out for the first time since this problem arose, so maybe the system was just bogged down from the spam?

Either way I really do appreciate your help.  I know there is only so much you can help with without looking up my skirt, so to speak.

Thanks!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video discusses moving either the default database or any database to a new volume.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now