Solved

how to check if sbs server is compromised or not

Posted on 2008-10-09
19
661 Views
Last Modified: 2012-05-05
HI, i am suspecting that sbs server has been compromised

is there any way to check to be sure if this server is compromised

Regards this, some question :

1) is there any where sbs server keep log who is logging to the server ?? ( because Everyday i get a report from server ( Server performance report), and i have noticed the following :

Security        529        09/10/2008 00:52        704 *
Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      inna
       Domain:      
       Logon Type:      3
       Logon Process:      Advapi
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SBS
       Caller User Name:      SBS$
       Caller Domain:      ourdomain
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2324
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

why is saying, workstaion name and caller username = SBS ??what happended if any one succesfull to logon ?? how will i know ?

2) if i use outlook to send email i know it goes via exchange server, but some one said, spyware can bypass exchange server and can send email , is there anyway to check how many email is going out from my server authorizid and unautorized ??

its making me mad, please advise me

Note : we have sophos antivirus, i  have checked with sophos , its cleared.
if you attached picture of my Event log
please have look , does this log mean, email has been sent ??
smtp.GIF
0
Comment
Question by:fosiul01
  • 9
  • 8
  • 2
19 Comments
 
LVL 2

Expert Comment

by:Dan560
Comment Utility
you can look at the security logs in event viewer,
but this is bizarre because I also had a user called inna trying to hack into my server. very confusing
0
 
LVL 29

Expert Comment

by:Michael W
Comment Utility
Here is the problem. Your SBS server is accessible by the outside world. This means that every script kiddie in the world is going to try to use some script or brute force attack to see if they can penetrate your server environment.

I recommend taking a look at the following EE PAQ'd Solution to give you an idea of what you can do to reduce or even prevent attacks of this nature...

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_23721698.html
0
 
LVL 2

Expert Comment

by:Dan560
Comment Utility
0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
Hi thanks
i have check that expert-exchange link and the forum, about using that software i will have to use those, but i will come back to you on that issue .
but i want to understand -

First of all, i checked exchage server by dnsstuff and aubse.net , its not open realy
Second : the picture i have attahced what do you think of this picture ?? is my server realying email ??

Can spy ware bypass exchange server and send email out side ??
0
 
LVL 29

Expert Comment

by:Michael W
Comment Utility
A quick way to find out if your Exchange environment is setup as a mail relay:

http://www.mxtoolbox.com/diagnostic.aspx

---

One thing you need to be aware of Anti-Virus software on a SBS server. Make sure it is not scanning the Exchange partition or its databases. This is a sure way to corrupt your Exchange databases.

If you need anti-virus/anti-spyware for your Exchange server, I recommend getting an application that was specifically designed to protect it. I, personally, recommend Kaspersky as it is easy to install and configure for both the server, exchange and all workstations on the domain.

Kaspersky Enterprise Space Security
http://usa.kaspersky.com/products_services/enterprise-space-security.php

0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
as i said, i have check with dnsstuff and aubse.net it say that its not open realy , how ever as you advised i checked with with mxtoolbox

here is the result
RCPT TO: <test@mxtoolbox.com>
550 5.7.1 Unable to relay for test@mxtoolbox.com [5141 ms]

that mean its not open realy. is not it ??

but still i want to k now , the picture i have attached, what does it mean ?? any one successfuly sent or not ??
0
 
LVL 29

Expert Comment

by:Michael W
Comment Utility
If you look closely in the picture, it states '550 5.7.1 Unable to relay...' this means that an outside script kiddie attempted to use your server as a relay, but failed miserably -- so you are protected from the open relay issue.

As for the external user login/password 'attacks' to your system, the only thing I can recommend is setting up an IDS between your router and SBS server network infrastructure. This way, you can help reduce the number of attempts and even block them before reaching your site.
0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
ok i was thinking that aswell. but thanks for conferming .

now one more question : can spyware bypass exchange server and can send email ?? if they can , is there any way to track that ??
0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
and also, check this comments :

Check your queues to make sure that your server is not sending an NDR to the domain from where the email originated. I have this same issue on my server where relaying is denied. However, if someone send an email to nosuchuser@domain.com, Exchange will automatically attmpt to NDR back to the originator. This does not indicate RELAY SPAM. Just NORMAL SPAM.

so , if my server reply to those ndr  then that mean  one way my server is doing spamming is not it ?? and for that reason , it could be on spam list, is that right ??
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 29

Expert Comment

by:Michael W
Comment Utility
Unless you are using your SBS server for browsing the Internet directly or have installed a mail client on your SBS server, then its highly unlikely you will get infected by spyware on the server environment.

Now, if your SBS server is setup in dual NIC configuration (i.e. acting as the firewall/router), it then depends on if you have a real-time network level anti-virus/anti-spyware application installed on the SBS server or on a separate appliance in between the SBS server and the external network environment.

0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
NO , we dont browse from server, and also no mail client is installed, so i can eliminate this idea that it has been effected by spyware, and we are using shopos as real time antivirus

what about the NDR - this would be my last question for this problem then i will close this one
0
 
LVL 29

Expert Comment

by:Michael W
Comment Utility
Sending an NDR back to the spammer can possibly get your domain blacklisted, as some spammers (or their spambots) are using compromised systems to do their dirty work for them. Here is a good article to read over when it comes to blacklists...

How to Avoid Being Blacklisted
http://www.howtoforge.com/how_to_avoid_being_blacklisted

I also recommend that you take a look at this article for setting up IMF and an RBL check on your Exchange environment to help reduce the amount of this 'broadcast' spam...

http://www.petri.co.il/block_spam_with_exchange_2003.htm
0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
i follwed this link before :
http://support.microsoft.com/kb/909005/en-us

and i did everthing what saying in under this :Recipient filtering is only available in Exchange Server 2003.

so that mean, if my server received any ndr, it will not reply to those , is that right ??
0
 
LVL 29

Accepted Solution

by:
Michael W earned 500 total points
Comment Utility
I recommend reading this article when it comes to Recipient Filtering as it is a bit better worded...

http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html
0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
ok i have checked that tutorial

but if i followed as that tutorial said, does it mean , my server will not answer to those ndr and my server would be safe from spam block list ??
0
 
LVL 29

Expert Comment

by:Michael W
Comment Utility
Yes
0
 
LVL 29

Author Comment

by:fosiul01
Comment Utility
thanks
0
 
LVL 29

Expert Comment

by:Michael W
Comment Utility
No problem. Glad I could help.

-- Michael
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now