Solved

Windows 2003 SBS Server hacked

Posted on 2013-01-06
10
897 Views
Last Modified: 2013-02-03
I inherited a client using Windows 2003 SBS server.

Recently, their server was compromised and I don't know how to resolve the issue.

Here are the symptoms:

1) One user is receiving thousands of System Undeliverable messages in her inbox every day, as well as from the Postmaster address saying there's a delay in sending out mail.

2) In the security event log, there are Failure attempts every few seconds that look like this:

****************************************
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            1/6/2013
Time:            2:36:18 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DC1-SBS
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      sheila
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      DC1-SBS
       Caller User Name:      DC1-SBS$
       Caller Domain:      DOMAIN-NAME
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      1936
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
***********************

Those events appear for multiple user names.

So far I have changed the password for the users I have spoken to and disabled any unused domain accounts.

I have tried to stop the server from generating NDRs but the user's mailbox keeps filling up anyway.

How can I get this server back to a secure state?

Thanks!
0
Comment
Question by:IT_Service
  • 3
  • 2
  • 2
  • +3
10 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38749053
The NDR messages indicate that you may not have Anti-Spam software installed and I would recommend you trial Vamsoft ORF which should resolve the problem for you.

www.vamsoft.com

Once you have resolved that issue, see what else is wrong.

Alan
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 38749054
The server may be just fine.

Look at the log - it says "Unknown user name or bad password" so there was no immediate need to change passwords - the account(s) weren't compromised (apparently - if they were, then it would have been a SUCCESS audit, not a failure and you might not realize it was compromised.  Changing passwords was a good idea, just in case, but it really doesn't mean the server was compromised.

As for the NDRs - it's possible someone spammed thousands of people using her e-mail as the sender - the sender may not even be touching the server and is likely not doing anything directly with your systems.  Instead, if the email account was used as the sender, then hundreds or thousands of OTHER servers are THINKING that SHE was the one who sent the message and trying to tell her that the user account(s) don't exist.  Short of using a spam filter that can filter these NDRs, there may simply be nothing you can do and there may not be any security issues (I'm sure there are many - almost all networks have them - but the point is, you MOST LIKELY have not been hacked).

Use a good spam filter and put in place a firewall and policies that prevent unauthorized systems from attempting to access the server.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38749055
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 38749133
It can never hurt to change the admin password.
0
 
LVL 2

Author Comment

by:IT_Service
ID: 38749716
If I look in the Message Tracking Center, it appears as if the user with the NDR issue is actually sending all those messages. Thousands of messages come up under her name as the sender in a short period of time (to Chinese addresses).

She can receive mail ok, but she effectively cannot send any real email because they seem to be timing out. This makes sense if there are thousands of messages trying to be sent out.

Eventually she gets this message in return: Could not deliver the message in the time limit specified.

For the Default SMTP server - Properties - Delivery tab - Outbound security, it's currently set at Anonymous Access. Is this the correct setting?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 38750041
Okay - change her password and then restart the SMTP Service immediately afterwards.  Her account sounds like it has been compromised.

Expect to see the queues fill up with mail after this has been done, but not for ever.

Have a read of my article too please:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

If you want to stop this happening again, read my blog which I posted earlier.

Alan
0
 
LVL 10

Expert Comment

by:cpmcomputers
ID: 38750107
Seems you need to establish where the emails are actually being generated from
Either your server, from a smarthost, from some Trojan/malware on the clientside ?
Or email spoofing ?

The Chinese addresses suggest some sort of bot on a client pc on the internal network
Not necessarily that of the affected user?

What firewall are you using
If Isa  server can you see any significant traffic on smtp port 25 (or 587) coming off any internal client pc's also check possibly for heavy traffic on port 53 Dns lookups resolving domain names
Does the exchange server resolve its own Dns for sending email directly or does it send all mail via a smart host ?
If the former are you seeing large amounts of connectors in the outbound queues?
If the latter is there significantly increased traffic since the problem began
As stated above the emails may not be coming from your systems at all - spoofing

The focus must be to track where the outbound messages are being  generated from rather than worrying about the Ndrs

 Alans blog is good advice Also as an aside event 529 login failures in sbs 2003 servers Most commonly occur from dictionary attacks on the standard RDP port 3389
Microsoft has a fixit to change this to a non-standard port  just google "change RDP listening port (is a simple registry tweak)
Adjust your firewall also
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 38750714
It looks like this server is running Terminal Services. I had a 2003 server with the same problem until last year when we replaced it with a 2008.  That message does not mean your server was hacked, it looks like someone is trying to login remotely and guess the password. it's very common on a server running RDP or Terminal Services.

I suggest the following:
1. Upgrade all administrative and user passwords so they are stong (at least 8 chars including upper, lower, num and one special char). For example joHn2010<S1

2. If you have a firewall, upgrade it's firmware and see if it has any security services or logging you can activate

3. If you can block out remote access by country on your firewall, activate that feature and only include the counties where your users reside.

4. Make sure your server has the latest Microsoft updates

5. Verify you are running a strong anti virus and it's updated with the latest AV definition files. we use Symantec Endpoint Protection on all servers and workstations. We have not had any virus related outbreaks in two years with 60 Pc's and five servers.

6. Limit the number of users that access the server remotely. Only authorized and trained personnel should have remote desktop accounts and/or the admin password.

Hope this helps!
0
 
LVL 10

Expert Comment

by:cpmcomputers
ID: 38750745
All good advice

Would point out Its an SBS server so cannot be used for terminal services
hence my advice to change the listening port

Still does not deal with the underlying  issue about the email
Waiting for the questioner to update
0
 
LVL 2

Author Closing Comment

by:IT_Service
ID: 38848609
I ended up moving them to Office365 since this server is 10 years old anyway. That was a move I had planned for them anyway,  I just had to adjust my implementation schedule.

I have taken some of the steps you recommended.

Thank you everyone, for the advice. I really appreciate it.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now