Help with Exchange 2003 spam attack
Hello All,
A client's Exchange 2003 server is under attack and here's what I've been able to do so far.
This is a Windows 2003 SP2 server running Exchange 2003 SP2, all patches applied. We're using Outlook clients, OWA and IMAP.
Yesterday, user JW's e-mail account started getting hammered with NDRs with Chinese characters in the subject. I confirmed that the server is not an open relay. I found thousands of queues full of spam and got rid of them. The queues have been normal since. No more NDRs to that account.
They cracked JW's password and were authenticating. I could see it in the Security Event Log.
Successful Network Logon:
User Name: JW
Domain: MYDOMAIN
Logon ID: (0x0,0x72F915)
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: MYSERVER
Logon GUID: -
Caller User Name: MYSERVER$
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1436
Transited Services: -
Source Network Address: -
If I change the password on JW's account, I see Failure Audits because the account gets locked out within seconds.
Logon Failure:
Reason: Account locked out
User Name: JW
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: MYSERVER
Caller User Name: MYSERVER$
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1436
Transited Services: -
Source Network Address: -
Source Port: -
The main thing I'm still seeing are many sessions with weird user names in the Default SMTP Virtual Server. I checked a few of the IPs and they're in China.
My questions are:
- What are these sessions I'm seeing? I don't think the server is still sending spam. Wouldn't I see that in ESM in the queues?
- What to do about JW's account? It's currently disabled. If I enable it and reset the password it is locked out immediately. If I set the password back to what it was (as a test) I can see that they're successfully logging in.
I've scanned the server and all workstations for malware.
Next steps?
Thanks in advance
A client's Exchange 2003 server is under attack and here's what I've been able to do so far.
This is a Windows 2003 SP2 server running Exchange 2003 SP2, all patches applied. We're using Outlook clients, OWA and IMAP.
Yesterday, user JW's e-mail account started getting hammered with NDRs with Chinese characters in the subject. I confirmed that the server is not an open relay. I found thousands of queues full of spam and got rid of them. The queues have been normal since. No more NDRs to that account.
They cracked JW's password and were authenticating. I could see it in the Security Event Log.
Successful Network Logon:
User Name: JW
Domain: MYDOMAIN
Logon ID: (0x0,0x72F915)
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: MYSERVER
Logon GUID: -
Caller User Name: MYSERVER$
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1436
Transited Services: -
Source Network Address: -
If I change the password on JW's account, I see Failure Audits because the account gets locked out within seconds.
Logon Failure:
Reason: Account locked out
User Name: JW
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: MYSERVER
Caller User Name: MYSERVER$
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1436
Transited Services: -
Source Network Address: -
Source Port: -
The main thing I'm still seeing are many sessions with weird user names in the Default SMTP Virtual Server. I checked a few of the IPs and they're in China.
My questions are:
- What are these sessions I'm seeing? I don't think the server is still sending spam. Wouldn't I see that in ESM in the queues?
- What to do about JW's account? It's currently disabled. If I enable it and reset the password it is locked out immediately. If I set the password back to what it was (as a test) I can see that they're successfully logging in.
I've scanned the server and all workstations for malware.
Next steps?
Thanks in advance
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I made these changes and restarted the Default SMTP Virtual Server, but am still seeing weird connections.
Do I need to restart other servers/services as well?
I just re-read your post again and see that it was two days later that you said that there were no further attempts being made. So I need to wait it out I'm assuming.
Do I need to restart other servers/services as well?
I just re-read your post again and see that it was two days later that you said that there were no further attempts being made. So I need to wait it out I'm assuming.
The only service that needs restarting is the SMTP Service. That should stop people trying to send mail using usernames and passwords to your server.
If your users use Outlook / OWA they should be fine, but IMAP / SMTP will be a problem for the SMTP part. If you can switch them to RPC over HTTPS that would mean you are secure and stop hackers from tying to send mail via / to your server.
What other services do you have open on your server? RDP (TCP Port 3389) by any chance?
If your users use Outlook / OWA they should be fine, but IMAP / SMTP will be a problem for the SMTP part. If you can switch them to RPC over HTTPS that would mean you are secure and stop hackers from tying to send mail via / to your server.
What other services do you have open on your server? RDP (TCP Port 3389) by any chance?
ASKER
The Sonicwall firewall has ports 25, 80 and 143 open. 3389 is closed. I ran a port scan using GRC's Shields Up on the first 1055 ports, then specifically scanned for 3389.
I'm going to shut down IMAP because the one user that was using it has switched to using Outlook or OWA. OK, I've closed 143 now, so only 25 and 80 are open.
Here's a snippet from the SMTP logs. I know that response 550 means that the requested action was not taken and/or mailbox unavailable, but how does it look to you? It's hard to read because of the line-wrap here. Not too bad if pasted into a text editor.
They're still trying the JW user login (jw@mydomain.com)
Thanks very much for your time and expertise.
2013-01-15 22:27:11 14.208.53.132 ouzekpt SMTPSVC1 MYSERVER 192.168.1.12 0 EHLO - +ouzekpt 250 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 MAIL - +FROM:<jw@mydomain.com> 250 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<grandslam@kimo.com> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<dennis731109@yahoo.co
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<o918812539@yahoo.com.
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<jovi1239@yahoo.com.tw
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<meiyu_v@yahoo.com.tw>
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<loveccf52@yahoo.com.t
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<ocean113@kimo.com> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<fat0707@yahoo.com.tw>
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<unionfriendship2004@y
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 DATA - - 554 - -
I'm going to shut down IMAP because the one user that was using it has switched to using Outlook or OWA. OK, I've closed 143 now, so only 25 and 80 are open.
Here's a snippet from the SMTP logs. I know that response 550 means that the requested action was not taken and/or mailbox unavailable, but how does it look to you? It's hard to read because of the line-wrap here. Not too bad if pasted into a text editor.
They're still trying the JW user login (jw@mydomain.com)
Thanks very much for your time and expertise.
2013-01-15 22:27:11 14.208.53.132 ouzekpt SMTPSVC1 MYSERVER 192.168.1.12 0 EHLO - +ouzekpt 250 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 MAIL - +FROM:<jw@mydomain.com> 250 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<grandslam@kimo.com> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<dennis731109@yahoo.co
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<o918812539@yahoo.com.
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<jovi1239@yahoo.com.tw
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<meiyu_v@yahoo.com.tw>
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<loveccf52@yahoo.com.t
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<ocean113@kimo.com> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<fat0707@yahoo.com.tw>
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<unionfriendship2004@y
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 DATA - - 554 - -
You are very welcome. The logs look okay to me. Various attempts, but sadly thwarted now :)
Hopefully they will get bored soon and try someone else's server.
How are your queues looking?
Hopefully they will get bored soon and try someone else's server.
How are your queues looking?
ASKER
Great, thanks for the reassurance. I took code 554 for failure - ie. they've been thwarted.
Queues still look normal.
I think that did it.
Whew!
Queues still look normal.
I think that did it.
Whew!
ASKER
Great article that all newby Exchange admins should read!
You will need to put those settings back though if you migrate or your servers won't talk to each other happily, but for now, you should be nice and safe.
Thanks for the points.
Alan
Thanks for the points.
Alan
ASKER
Good point.
I'm going to move this client's mail to Google Apps in the next few months.
But that's another topic altogether!
Cheers
I'm going to move this client's mail to Google Apps in the next few months.
But that's another topic altogether!
Cheers
Good luck with that.
ASKER
Thanks so much for your quick response.
Just confirming... if all my users are accessing the Exchange Server with either Outlook or OWA or IMAP, then I can un-check Basic Authentication and Integrated Windows Authentication in the Default SMTP Virtual Server properties in ESM?
I'll read your posts with security improvement ideas next.