Security Basics mailing list archives
Re: Need your help!!!
From: Birl <sbirl () temple edu>
Date: Mon, 22 Sep 2003 12:54:23 -0400 (EDT)
As it was written on Sep 20, thus chang zhu typed: Chang: Date: Sat, 20 Sep 2003 08:19:39 -0700 (PDT) Chang: From: chang zhu <cyz2000 () yahoo com> Chang: Chang: Hi, all Chang: Chang: Some people connect to my exchange 2000 server every Chang: day and sent all spams out. When I go to current Chang: sessions under SMTP protols and default SMTP virtual Chang: server from exchange system manager, I can see these Chang: people's connections and IP address (no domain name Chang: shown up and only fake name and IP shows). I do not Chang: know how to block them. Ummm ... a firewall? Chang: This is exchange 2000 server Chang: with SP3 and behind PIX firewall. We only open port Chang: 25, 443 and 80 for this exch 2k server on PIX. MX Chang: reocrd points to this server. If I use NMAP Chang: to scan this box internally, here are ports open: Chang: Chang: Chang: 25/tcp open smtp Chang: 80/tcp open http Chang: 110/tcp open pop-3 Chang: 119/tcp open nntp Chang: 135/tcp open loc-srv Chang: 139/tcp open netbios-ssn Chang: 143/tcp open imap2 Chang: 443/tcp open https Chang: 445/tcp open microsoft-ds Chang: 563/tcp open snews Chang: 593/tcp open http-rpc-epmap Chang: 691/tcp open resvc Chang: 993/tcp open imaps Chang: 995/tcp open pop3s Chang: 3372/tcp open msdtc Chang: 3389/tcp open ms-term-serv Chang: 6000/tcp open X11 Chang: 6001/tcp open X11:1 Chang: 6003/tcp open X11:3 Chang: 6005/tcp open X11:5 Chang: 7001/tcp open afs3-callback Chang: 8081/tcp open blackice-icecap Chang: Chang: x11? X11 is X-windows. More-or-less windows for a UNIX machine. But since you're running Windoze, Im not sure what's listening on TCP 600[0-1,3,5] Recommend you get nmap 3.45 and run it with the newly added -sV flag to see what's listening. Moreover, you should download TCPView and leave it running. (and you should make sure that your lines below dont word-wrap) Chang: When I do netstat -na, the followings shown on the part of result; Chang: Chang: TCP 127.0.0.1:25 127.0.0.1:54441 TIME_WAIT Chang: TCP 127.0.0.1:25 127.0.0.1:54898 TIME_WAIT Chang: TCP 127.0.0.1:25 127.0.0.1:54904 TIME_WAIT Chang: TCP 127.0.0.1:25 127.0.0.1:54914 TIME_WAIT Chang: TCP 127.0.0.1:25 127.0.0.1:54916 TIME_WAIT Chang: TCP 127.0.0.1:25 127.0.0.1:54988 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54433 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54434 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54442 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54443 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54444 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54445 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54446 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54454 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54890 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54893 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54903 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54911 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54913 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54915 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54917 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54918 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54919 TIME_WAIT Chang: TCP 127.0.0.100:25 127.0.0.100:54905 TIME_WAIT Chang: TCP 127.0.0.100:25 127.0.0.100:54912 TIME_WAIT Chang: TCP 127.0.1.50:25 127.0.1.50:54456 TIME_WAIT Chang: Chang: THis server is not an open relay server and how Chang: spammers can connect this server to send all spams out Chang: from different domain address? Chang: Chang: Due to limited experience, I am not able to tackle it Chang: down. Many anti-spam company put our sever on their Chang: lists. I ask them to send me report that indicated Chang: all spams truly went out through my server from mail Chang: header info. Chang: Chang: I need to resolve this ASAP and any suggestion or Chang: solutions will be greatly appreciated. Chang: Chang: Chang: Thanks for all your attention and help, These are all internal IPs. Do you know if these IPs are actually in use, or do you think they are forged? I see you mentioned "... fake name and IP ..." but I do not see any "fake" names Thanks Scott Birl http://concept.temple.edu/sysadmin/ Senior Systems Administrator Computer Services Temple University ====*====*====*====*====*====*====*====+====*====*====*====*====*====*====*====* --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Need your help!!! chang zhu (Sep 22)
- Re: Need your help!!! Birl (Sep 22)
- RES: Need your help!!! Pastinha (Sep 23)
- <Possible follow-ups>
- RE: Need your help!!! Tenorio, Leandro (Sep 22)
- RE: Need your help!!! Dade McHugh (Sep 23)
- RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! Dade McHugh (Sep 23)
- RE: Need your help!!! chang zhu (Sep 22)
- RE: Need your help!!! Meidinger Chris (Sep 23)
- RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! Virgil Cui (Sep 23)
- Re: Need your help!!! Birl (Sep 22)