Windows 2003 SBS Server hacked
I inherited a client using Windows 2003 SBS server.
Recently, their server was compromised and I don't know how to resolve the issue.
Here are the symptoms:
1) One user is receiving thousands of System Undeliverable messages in her inbox every day, as well as from the Postmaster address saying there's a delay in sending out mail.
2) In the security event log, there are Failure attempts every few seconds that look like this:
**************************
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 1/6/2013
Time: 2:36:18 PM
User: NT AUTHORITY\SYSTEM
Computer: DC1-SBS
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: sheila
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: DC1-SBS
Caller User Name: DC1-SBS$
Caller Domain: DOMAIN-NAME
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1936
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
***********************
Those events appear for multiple user names.
So far I have changed the password for the users I have spoken to and disabled any unused domain accounts.
I have tried to stop the server from generating NDRs but the user's mailbox keeps filling up anyway.
How can I get this server back to a secure state?
Thanks!
Recently, their server was compromised and I don't know how to resolve the issue.
Here are the symptoms:
1) One user is receiving thousands of System Undeliverable messages in her inbox every day, as well as from the Postmaster address saying there's a delay in sending out mail.
2) In the security event log, there are Failure attempts every few seconds that look like this:
**************************
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 1/6/2013
Time: 2:36:18 PM
User: NT AUTHORITY\SYSTEM
Computer: DC1-SBS
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: sheila
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: DC1-SBS
Caller User Name: DC1-SBS$
Caller Domain: DOMAIN-NAME
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1936
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
***********************
Those events appear for multiple user names.
So far I have changed the password for the users I have spoken to and disabled any unused domain accounts.
I have tried to stop the server from generating NDRs but the user's mailbox keeps filling up anyway.
How can I get this server back to a secure state?
Thanks!
Last Comment
The server may be just fine.
Look at the log - it says "Unknown user name or bad password" so there was no immediate need to change passwords - the account(s) weren't compromised (apparently - if they were, then it would have been a SUCCESS audit, not a failure and you might not realize it was compromised. Changing passwords was a good idea, just in case, but it really doesn't mean the server was compromised.
As for the NDRs - it's possible someone spammed thousands of people using her e-mail as the sender - the sender may not even be touching the server and is likely not doing anything directly with your systems. Instead, if the email account was used as the sender, then hundreds or thousands of OTHER servers are THINKING that SHE was the one who sent the message and trying to tell her that the user account(s) don't exist. Short of using a spam filter that can filter these NDRs, there may simply be nothing you can do and there may not be any security issues (I'm sure there are many - almost all networks have them - but the point is, you MOST LIKELY have not been hacked).
Use a good spam filter and put in place a firewall and policies that prevent unauthorized systems from attempting to access the server.
Look at the log - it says "Unknown user name or bad password" so there was no immediate need to change passwords - the account(s) weren't compromised (apparently - if they were, then it would have been a SUCCESS audit, not a failure and you might not realize it was compromised. Changing passwords was a good idea, just in case, but it really doesn't mean the server was compromised.
As for the NDRs - it's possible someone spammed thousands of people using her e-mail as the sender - the sender may not even be touching the server and is likely not doing anything directly with your systems. Instead, if the email account was used as the sender, then hundreds or thousands of OTHER servers are THINKING that SHE was the one who sent the message and trying to tell her that the user account(s) don't exist. Short of using a spam filter that can filter these NDRs, there may simply be nothing you can do and there may not be any security issues (I'm sure there are many - almost all networks have them - but the point is, you MOST LIKELY have not been hacked).
Use a good spam filter and put in place a firewall and policies that prevent unauthorized systems from attempting to access the server.
You can also have a read of my blog, which might assist with the invalid logins:
http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
It can never hurt to change the admin password.
ASKER
If I look in the Message Tracking Center, it appears as if the user with the NDR issue is actually sending all those messages. Thousands of messages come up under her name as the sender in a short period of time (to Chinese addresses).
She can receive mail ok, but she effectively cannot send any real email because they seem to be timing out. This makes sense if there are thousands of messages trying to be sent out.
Eventually she gets this message in return: Could not deliver the message in the time limit specified.
For the Default SMTP server - Properties - Delivery tab - Outbound security, it's currently set at Anonymous Access. Is this the correct setting?
She can receive mail ok, but she effectively cannot send any real email because they seem to be timing out. This makes sense if there are thousands of messages trying to be sent out.
Eventually she gets this message in return: Could not deliver the message in the time limit specified.
For the Default SMTP server - Properties - Delivery tab - Outbound security, it's currently set at Anonymous Access. Is this the correct setting?
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Seems you need to establish where the emails are actually being generated from
Either your server, from a smarthost, from some Trojan/malware on the clientside ?
Or email spoofing ?
The Chinese addresses suggest some sort of bot on a client pc on the internal network
Not necessarily that of the affected user?
What firewall are you using
If Isa server can you see any significant traffic on smtp port 25 (or 587) coming off any internal client pc's also check possibly for heavy traffic on port 53 Dns lookups resolving domain names
Does the exchange server resolve its own Dns for sending email directly or does it send all mail via a smart host ?
If the former are you seeing large amounts of connectors in the outbound queues?
If the latter is there significantly increased traffic since the problem began
As stated above the emails may not be coming from your systems at all - spoofing
The focus must be to track where the outbound messages are being generated from rather than worrying about the Ndrs
Alans blog is good advice Also as an aside event 529 login failures in sbs 2003 servers Most commonly occur from dictionary attacks on the standard RDP port 3389
Microsoft has a fixit to change this to a non-standard port just google "change RDP listening port (is a simple registry tweak)
Adjust your firewall also
Either your server, from a smarthost, from some Trojan/malware on the clientside ?
Or email spoofing ?
The Chinese addresses suggest some sort of bot on a client pc on the internal network
Not necessarily that of the affected user?
What firewall are you using
If Isa server can you see any significant traffic on smtp port 25 (or 587) coming off any internal client pc's also check possibly for heavy traffic on port 53 Dns lookups resolving domain names
Does the exchange server resolve its own Dns for sending email directly or does it send all mail via a smart host ?
If the former are you seeing large amounts of connectors in the outbound queues?
If the latter is there significantly increased traffic since the problem began
As stated above the emails may not be coming from your systems at all - spoofing
The focus must be to track where the outbound messages are being generated from rather than worrying about the Ndrs
Alans blog is good advice Also as an aside event 529 login failures in sbs 2003 servers Most commonly occur from dictionary attacks on the standard RDP port 3389
Microsoft has a fixit to change this to a non-standard port just google "change RDP listening port (is a simple registry tweak)
Adjust your firewall also
It looks like this server is running Terminal Services. I had a 2003 server with the same problem until last year when we replaced it with a 2008. That message does not mean your server was hacked, it looks like someone is trying to login remotely and guess the password. it's very common on a server running RDP or Terminal Services.
I suggest the following:
1. Upgrade all administrative and user passwords so they are stong (at least 8 chars including upper, lower, num and one special char). For example joHn2010<S1
2. If you have a firewall, upgrade it's firmware and see if it has any security services or logging you can activate
3. If you can block out remote access by country on your firewall, activate that feature and only include the counties where your users reside.
4. Make sure your server has the latest Microsoft updates
5. Verify you are running a strong anti virus and it's updated with the latest AV definition files. we use Symantec Endpoint Protection on all servers and workstations. We have not had any virus related outbreaks in two years with 60 Pc's and five servers.
6. Limit the number of users that access the server remotely. Only authorized and trained personnel should have remote desktop accounts and/or the admin password.
Hope this helps!
I suggest the following:
1. Upgrade all administrative and user passwords so they are stong (at least 8 chars including upper, lower, num and one special char). For example joHn2010<S1
2. If you have a firewall, upgrade it's firmware and see if it has any security services or logging you can activate
3. If you can block out remote access by country on your firewall, activate that feature and only include the counties where your users reside.
4. Make sure your server has the latest Microsoft updates
5. Verify you are running a strong anti virus and it's updated with the latest AV definition files. we use Symantec Endpoint Protection on all servers and workstations. We have not had any virus related outbreaks in two years with 60 Pc's and five servers.
6. Limit the number of users that access the server remotely. Only authorized and trained personnel should have remote desktop accounts and/or the admin password.
Hope this helps!
All good advice
Would point out Its an SBS server so cannot be used for terminal services
hence my advice to change the listening port
Still does not deal with the underlying issue about the email
Waiting for the questioner to update
Would point out Its an SBS server so cannot be used for terminal services
hence my advice to change the listening port
Still does not deal with the underlying issue about the email
Waiting for the questioner to update
ASKER
I ended up moving them to Office365 since this server is 10 years old anyway. That was a move I had planned for them anyway, I just had to adjust my implementation schedule.
I have taken some of the steps you recommended.
Thank you everyone, for the advice. I really appreciate it.
I have taken some of the steps you recommended.
Thank you everyone, for the advice. I really appreciate it.
Exchange
Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.
213K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
www.vamsoft.com
Once you have resolved that issue, see what else is wrong.
Alan