Solved

Help with Exchange 2003 spam attack

Posted on 2013-01-15
11
691 Views
Last Modified: 2013-01-16
Hello All,
A client's Exchange 2003 server is under attack and here's what I've been able to do so far.

This is a Windows 2003 SP2 server running Exchange 2003 SP2, all patches applied. We're using Outlook clients, OWA and IMAP.

Yesterday, user JW's e-mail account started getting hammered with NDRs with Chinese characters in the subject. I confirmed that the server is not an open relay. I found thousands of queues full of spam and got rid of them. The queues have been normal since. No more NDRs to that account.

They cracked JW's password and were authenticating. I could see it in the Security Event Log.

Successful Network Logon:
       User Name:      JW
       Domain:            MYDOMAIN
       Logon ID:            (0x0,0x72F915)
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      MYSERVER
       Logon GUID:      -
       Caller User Name:      MYSERVER$
       Caller Domain:      MYDOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 1436
       Transited Services: -
       Source Network Address:      -

If I change the password on JW's account, I see Failure Audits because the account gets locked out within seconds.

Logon Failure:
       Reason:            Account locked out
       User Name:      JW
       Domain:      
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      MYSERVER
       Caller User Name:      MYSERVER$
       Caller Domain: MYDOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 1436
       Transited Services: -
       Source Network Address:      -
       Source Port:      -

The main thing I'm still seeing are many sessions with weird user names in the Default SMTP Virtual Server. I checked a few of the IPs and they're in China.

My questions are:
- What are these sessions I'm seeing? I don't think the server is still sending spam. Wouldn't I see that in ESM in the queues?

- What to do about JW's account? It's currently disabled. If I enable it and reset the password it is locked out immediately. If I set the password back to what it was (as a test) I can see that they're successfully logging in.

I've scanned the server and all workstations for malware.

Next steps?

Thanks in advance
0
Comment
Question by:simonett
  • 6
  • 5
11 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
Comment Utility
If you want a permanent fix, please read my blog and change your authentication on your SMTP Virtual Server:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

In that blog is a link to my earlier blog with ideas on how to improve your security.

Alan
0
 

Author Comment

by:simonett
Comment Utility
Alan,
Thanks so much for your quick response.

Just confirming... if all my users are accessing the Exchange Server with either Outlook or OWA or IMAP, then I can un-check Basic Authentication and Integrated Windows Authentication in the Default SMTP Virtual Server properties in ESM?

I'll read your posts with security improvement ideas next.
0
 

Author Comment

by:simonett
Comment Utility
I made these changes and restarted the Default SMTP Virtual Server, but am still seeing weird connections.

Do I need to restart other servers/services as well?

I just re-read your post again and see that it was two days later that you said that there were no further attempts being made. So I need to wait it out I'm assuming.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
The only service that needs restarting is the SMTP Service.  That should stop people trying to send mail using usernames and passwords to your server.

If your users use Outlook / OWA they should be fine, but IMAP / SMTP will be a problem for the SMTP part.  If you can switch them to RPC over HTTPS that would mean you are secure and stop hackers from tying to send mail via / to your server.

What other services do you have open on your server?  RDP (TCP Port 3389) by any chance?
0
 

Author Comment

by:simonett
Comment Utility
The Sonicwall firewall has ports 25, 80 and 143 open. 3389 is closed. I ran a port scan using GRC's Shields Up on the first 1055 ports, then specifically scanned for 3389.

I'm going to shut down IMAP because the one user that was using it has switched to using Outlook or OWA. OK, I've closed 143 now, so only 25 and 80 are open.

Here's a snippet from the SMTP logs. I know that response 550 means that the requested action was not taken and/or mailbox unavailable, but how does it look to you? It's hard to read because of the line-wrap here. Not too bad if pasted into a text editor.

They're still trying the JW user login (jw@mydomain.com)

Thanks very much for your time and expertise.

2013-01-15 22:27:11 14.208.53.132 ouzekpt SMTPSVC1 MYSERVER 192.168.1.12 0 EHLO - +ouzekpt 250 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 MAIL - +FROM:<jw@mydomain.com> 250 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<grandslam@kimo.com> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<dennis731109@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<o918812539@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<jovi1239@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<meiyu_v@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<loveccf52@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<ocean113@kimo.com> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<fat0707@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<unionfriendship2004@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 DATA - - 554 - -
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
You are very welcome.  The logs look okay to me.  Various attempts, but sadly thwarted now :)

Hopefully they will get bored soon and try someone else's server.

How are your queues looking?
0
 

Author Comment

by:simonett
Comment Utility
Great, thanks for the reassurance. I took code 554 for failure - ie. they've been thwarted.

Queues still look normal.

I think that did it.

Whew!
0
 

Author Closing Comment

by:simonett
Comment Utility
Great article that all newby Exchange admins should read!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
You will need to put those settings back though if you migrate or your servers won't talk to each other happily, but for now, you should be nice and safe.

Thanks for the points.

Alan
0
 

Author Comment

by:simonett
Comment Utility
Good point.

I'm going to move this client's mail to Google Apps in the next few months.

But that's another topic altogether!

Cheers
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Good luck with that.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now