Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Help with Exchange 2003 spam attack

Posted on 2013-01-15
11
Medium Priority
?
772 Views
Last Modified: 2013-01-16
Hello All,
A client's Exchange 2003 server is under attack and here's what I've been able to do so far.

This is a Windows 2003 SP2 server running Exchange 2003 SP2, all patches applied. We're using Outlook clients, OWA and IMAP.

Yesterday, user JW's e-mail account started getting hammered with NDRs with Chinese characters in the subject. I confirmed that the server is not an open relay. I found thousands of queues full of spam and got rid of them. The queues have been normal since. No more NDRs to that account.

They cracked JW's password and were authenticating. I could see it in the Security Event Log.

Successful Network Logon:
       User Name:      JW
       Domain:            MYDOMAIN
       Logon ID:            (0x0,0x72F915)
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      MYSERVER
       Logon GUID:      -
       Caller User Name:      MYSERVER$
       Caller Domain:      MYDOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 1436
       Transited Services: -
       Source Network Address:      -

If I change the password on JW's account, I see Failure Audits because the account gets locked out within seconds.

Logon Failure:
       Reason:            Account locked out
       User Name:      JW
       Domain:      
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      MYSERVER
       Caller User Name:      MYSERVER$
       Caller Domain: MYDOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 1436
       Transited Services: -
       Source Network Address:      -
       Source Port:      -

The main thing I'm still seeing are many sessions with weird user names in the Default SMTP Virtual Server. I checked a few of the IPs and they're in China.

My questions are:
- What are these sessions I'm seeing? I don't think the server is still sending spam. Wouldn't I see that in ESM in the queues?

- What to do about JW's account? It's currently disabled. If I enable it and reset the password it is locked out immediately. If I set the password back to what it was (as a test) I can see that they're successfully logging in.

I've scanned the server and all workstations for malware.

Next steps?

Thanks in advance
0
Comment
Question by:simonett
  • 6
  • 5
11 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 38779303
If you want a permanent fix, please read my blog and change your authentication on your SMTP Virtual Server:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

In that blog is a link to my earlier blog with ideas on how to improve your security.

Alan
0
 

Author Comment

by:simonett
ID: 38779354
Alan,
Thanks so much for your quick response.

Just confirming... if all my users are accessing the Exchange Server with either Outlook or OWA or IMAP, then I can un-check Basic Authentication and Integrated Windows Authentication in the Default SMTP Virtual Server properties in ESM?

I'll read your posts with security improvement ideas next.
0
 

Author Comment

by:simonett
ID: 38779384
I made these changes and restarted the Default SMTP Virtual Server, but am still seeing weird connections.

Do I need to restart other servers/services as well?

I just re-read your post again and see that it was two days later that you said that there were no further attempts being made. So I need to wait it out I'm assuming.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38780464
The only service that needs restarting is the SMTP Service.  That should stop people trying to send mail using usernames and passwords to your server.

If your users use Outlook / OWA they should be fine, but IMAP / SMTP will be a problem for the SMTP part.  If you can switch them to RPC over HTTPS that would mean you are secure and stop hackers from tying to send mail via / to your server.

What other services do you have open on your server?  RDP (TCP Port 3389) by any chance?
0
 

Author Comment

by:simonett
ID: 38780599
The Sonicwall firewall has ports 25, 80 and 143 open. 3389 is closed. I ran a port scan using GRC's Shields Up on the first 1055 ports, then specifically scanned for 3389.

I'm going to shut down IMAP because the one user that was using it has switched to using Outlook or OWA. OK, I've closed 143 now, so only 25 and 80 are open.

Here's a snippet from the SMTP logs. I know that response 550 means that the requested action was not taken and/or mailbox unavailable, but how does it look to you? It's hard to read because of the line-wrap here. Not too bad if pasted into a text editor.

They're still trying the JW user login (jw@mydomain.com)

Thanks very much for your time and expertise.

2013-01-15 22:27:11 14.208.53.132 ouzekpt SMTPSVC1 MYSERVER 192.168.1.12 0 EHLO - +ouzekpt 250 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 MAIL - +FROM:<jw@mydomain.com> 250 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<grandslam@kimo.com> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<dennis731109@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<o918812539@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<jovi1239@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<meiyu_v@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<loveccf52@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<ocean113@kimo.com> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<fat0707@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<unionfriendship2004@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 DATA - - 554 - -
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38780633
You are very welcome.  The logs look okay to me.  Various attempts, but sadly thwarted now :)

Hopefully they will get bored soon and try someone else's server.

How are your queues looking?
0
 

Author Comment

by:simonett
ID: 38780877
Great, thanks for the reassurance. I took code 554 for failure - ie. they've been thwarted.

Queues still look normal.

I think that did it.

Whew!
0
 

Author Closing Comment

by:simonett
ID: 38780882
Great article that all newby Exchange admins should read!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38780909
You will need to put those settings back though if you migrate or your servers won't talk to each other happily, but for now, you should be nice and safe.

Thanks for the points.

Alan
0
 

Author Comment

by:simonett
ID: 38780930
Good point.

I'm going to move this client's mail to Google Apps in the next few months.

But that's another topic altogether!

Cheers
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38781662
Good luck with that.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to effectively resolve the number one email related issue received by helpdesks.
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question