Solved

Help with Exchange 2003 spam attack

Posted on 2013-01-15
11
717 Views
Last Modified: 2013-01-16
Hello All,
A client's Exchange 2003 server is under attack and here's what I've been able to do so far.

This is a Windows 2003 SP2 server running Exchange 2003 SP2, all patches applied. We're using Outlook clients, OWA and IMAP.

Yesterday, user JW's e-mail account started getting hammered with NDRs with Chinese characters in the subject. I confirmed that the server is not an open relay. I found thousands of queues full of spam and got rid of them. The queues have been normal since. No more NDRs to that account.

They cracked JW's password and were authenticating. I could see it in the Security Event Log.

Successful Network Logon:
       User Name:      JW
       Domain:            MYDOMAIN
       Logon ID:            (0x0,0x72F915)
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      MYSERVER
       Logon GUID:      -
       Caller User Name:      MYSERVER$
       Caller Domain:      MYDOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 1436
       Transited Services: -
       Source Network Address:      -

If I change the password on JW's account, I see Failure Audits because the account gets locked out within seconds.

Logon Failure:
       Reason:            Account locked out
       User Name:      JW
       Domain:      
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      MYSERVER
       Caller User Name:      MYSERVER$
       Caller Domain: MYDOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 1436
       Transited Services: -
       Source Network Address:      -
       Source Port:      -

The main thing I'm still seeing are many sessions with weird user names in the Default SMTP Virtual Server. I checked a few of the IPs and they're in China.

My questions are:
- What are these sessions I'm seeing? I don't think the server is still sending spam. Wouldn't I see that in ESM in the queues?

- What to do about JW's account? It's currently disabled. If I enable it and reset the password it is locked out immediately. If I set the password back to what it was (as a test) I can see that they're successfully logging in.

I've scanned the server and all workstations for malware.

Next steps?

Thanks in advance
0
Comment
Question by:simonett
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 38779303
If you want a permanent fix, please read my blog and change your authentication on your SMTP Virtual Server:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

In that blog is a link to my earlier blog with ideas on how to improve your security.

Alan
0
 

Author Comment

by:simonett
ID: 38779354
Alan,
Thanks so much for your quick response.

Just confirming... if all my users are accessing the Exchange Server with either Outlook or OWA or IMAP, then I can un-check Basic Authentication and Integrated Windows Authentication in the Default SMTP Virtual Server properties in ESM?

I'll read your posts with security improvement ideas next.
0
 

Author Comment

by:simonett
ID: 38779384
I made these changes and restarted the Default SMTP Virtual Server, but am still seeing weird connections.

Do I need to restart other servers/services as well?

I just re-read your post again and see that it was two days later that you said that there were no further attempts being made. So I need to wait it out I'm assuming.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38780464
The only service that needs restarting is the SMTP Service.  That should stop people trying to send mail using usernames and passwords to your server.

If your users use Outlook / OWA they should be fine, but IMAP / SMTP will be a problem for the SMTP part.  If you can switch them to RPC over HTTPS that would mean you are secure and stop hackers from tying to send mail via / to your server.

What other services do you have open on your server?  RDP (TCP Port 3389) by any chance?
0
 

Author Comment

by:simonett
ID: 38780599
The Sonicwall firewall has ports 25, 80 and 143 open. 3389 is closed. I ran a port scan using GRC's Shields Up on the first 1055 ports, then specifically scanned for 3389.

I'm going to shut down IMAP because the one user that was using it has switched to using Outlook or OWA. OK, I've closed 143 now, so only 25 and 80 are open.

Here's a snippet from the SMTP logs. I know that response 550 means that the requested action was not taken and/or mailbox unavailable, but how does it look to you? It's hard to read because of the line-wrap here. Not too bad if pasted into a text editor.

They're still trying the JW user login (jw@mydomain.com)

Thanks very much for your time and expertise.

2013-01-15 22:27:11 14.208.53.132 ouzekpt SMTPSVC1 MYSERVER 192.168.1.12 0 EHLO - +ouzekpt 250 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 MAIL - +FROM:<jw@mydomain.com> 250 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<grandslam@kimo.com> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<dennis731109@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<o918812539@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<jovi1239@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<meiyu_v@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<loveccf52@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<ocean113@kimo.com> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<fat0707@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<unionfriendship2004@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 DATA - - 554 - -
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38780633
You are very welcome.  The logs look okay to me.  Various attempts, but sadly thwarted now :)

Hopefully they will get bored soon and try someone else's server.

How are your queues looking?
0
 

Author Comment

by:simonett
ID: 38780877
Great, thanks for the reassurance. I took code 554 for failure - ie. they've been thwarted.

Queues still look normal.

I think that did it.

Whew!
0
 

Author Closing Comment

by:simonett
ID: 38780882
Great article that all newby Exchange admins should read!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38780909
You will need to put those settings back though if you migrate or your servers won't talk to each other happily, but for now, you should be nice and safe.

Thanks for the points.

Alan
0
 

Author Comment

by:simonett
ID: 38780930
Good point.

I'm going to move this client's mail to Google Apps in the next few months.

But that's another topic altogether!

Cheers
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38781662
Good luck with that.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Find out what you should include to make the best professional email signature for your organization.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question