Security Basics mailing list archives

Re: Need your help!!!

From: Birl <sbirl () temple edu>
Date: Mon, 22 Sep 2003 12:54:23 -0400 (EDT)

As it was written on Sep 20, thus chang zhu typed:

Chang:  Date: Sat, 20 Sep 2003 08:19:39 -0700 (PDT)
Chang:  From: chang zhu <cyz2000 () yahoo com>
Chang:
Chang:  Hi, all
Chang:
Chang:  Some people connect to my exchange 2000 server every
Chang:  day and sent all spams out.  When I go to current
Chang:  sessions under SMTP protols and default SMTP virtual
Chang:  server from exchange system manager, I can see these
Chang:  people's connections and IP address (no domain name
Chang:  shown up and only fake name and IP shows).  I do not
Chang:  know how to block them.


Ummm ... a firewall?


Chang:  This is exchange 2000 server
Chang:  with SP3 and behind PIX firewall.  We only open port
Chang:  25, 443 and 80 for this exch 2k server on PIX. MX
Chang:  reocrd points to this server. If I use NMAP
Chang:  to scan this box internally, here are ports open:
Chang:
Chang:
Chang:  25/tcp     open        smtp
Chang:  80/tcp     open        http
Chang:  110/tcp    open        pop-3
Chang:  119/tcp    open        nntp
Chang:  135/tcp    open        loc-srv
Chang:  139/tcp    open        netbios-ssn
Chang:  143/tcp    open        imap2
Chang:  443/tcp    open        https
Chang:  445/tcp    open        microsoft-ds
Chang:  563/tcp    open        snews
Chang:  593/tcp    open        http-rpc-epmap
Chang:  691/tcp    open        resvc
Chang:  993/tcp    open        imaps
Chang:  995/tcp    open        pop3s
Chang:  3372/tcp   open        msdtc
Chang:  3389/tcp   open        ms-term-serv
Chang:  6000/tcp   open        X11
Chang:  6001/tcp   open        X11:1
Chang:  6003/tcp   open        X11:3
Chang:  6005/tcp   open        X11:5
Chang:  7001/tcp   open        afs3-callback
Chang:  8081/tcp   open        blackice-icecap
Chang:
Chang:  x11?


X11 is X-windows.  More-or-less windows for a UNIX machine.
But since you're running Windoze, Im not sure what's listening on TCP 600[0-1,3,5]

Recommend you get nmap 3.45 and run it with the newly added -sV flag to
see what's listening.  Moreover, you should download TCPView and leave it
running.



(and you should make sure that your lines below dont word-wrap)

Chang:  When I do netstat -na, the followings shown on the part of result;
Chang:
Chang:  TCP    127.0.0.1:25           127.0.0.1:54441        TIME_WAIT
Chang:  TCP    127.0.0.1:25           127.0.0.1:54898        TIME_WAIT
Chang:  TCP    127.0.0.1:25           127.0.0.1:54904        TIME_WAIT
Chang:  TCP    127.0.0.1:25           127.0.0.1:54914        TIME_WAIT
Chang:  TCP    127.0.0.1:25           127.0.0.1:54916        TIME_WAIT
Chang:  TCP    127.0.0.1:25           127.0.0.1:54988        TIME_WAIT
Chang:  TCP    127.0.0.2:25           127.0.0.2:54433        TIME_WAIT
Chang:  TCP    127.0.0.2:25           127.0.0.2:54434        TIME_WAIT
Chang:  TCP    127.0.0.2:25           127.0.0.2:54442        TIME_WAIT
Chang:  TCP    127.0.0.2:25           127.0.0.2:54443        TIME_WAIT
Chang:  TCP    127.0.0.2:25           127.0.0.2:54444        TIME_WAIT
Chang:  TCP    127.0.0.2:25           127.0.0.2:54445        TIME_WAIT
Chang:  TCP    127.0.0.2:25           127.0.0.2:54446        TIME_WAIT
Chang:  TCP    127.0.0.2:25           127.0.0.2:54454        TIME_WAIT
Chang:  TCP    127.0.0.2:25           127.0.0.2:54890        TIME_WAIT
Chang:  TCP    127.0.0.2:25           127.0.0.2:54893        TIME_WAIT
Chang:  TCP    127.0.0.2:25           127.0.0.2:54903        TIME_WAIT
Chang:  TCP    127.0.0.2:25           127.0.0.2:54911        TIME_WAIT
Chang:  TCP    127.0.0.2:25           127.0.0.2:54913        TIME_WAIT
Chang:  TCP    127.0.0.2:25           127.0.0.2:54915        TIME_WAIT
Chang:  TCP    127.0.0.2:25           127.0.0.2:54917        TIME_WAIT
Chang:  TCP    127.0.0.2:25           127.0.0.2:54918        TIME_WAIT
Chang:  TCP    127.0.0.2:25           127.0.0.2:54919        TIME_WAIT
Chang:  TCP    127.0.0.100:25         127.0.0.100:54905      TIME_WAIT
Chang:  TCP    127.0.0.100:25         127.0.0.100:54912      TIME_WAIT
Chang:  TCP    127.0.1.50:25          127.0.1.50:54456       TIME_WAIT
Chang:
Chang:  THis server is not an open relay server and how
Chang:  spammers can connect this server to send all spams out
Chang:  from different domain address?
Chang:
Chang:  Due to limited experience, I am not able to tackle it
Chang:  down.  Many anti-spam company put our sever on their
Chang:  lists.  I ask them to send me report that indicated
Chang:  all spams truly went out through my server from mail
Chang:  header info.
Chang:
Chang:  I need to resolve this ASAP and any suggestion or
Chang:  solutions will be greatly appreciated.
Chang:
Chang:
Chang:  Thanks for all your attention and help,


These are all internal IPs.  Do you know if these IPs are actually in use,
or do you think they are forged?  I see you mentioned
"... fake name and IP ..." but I do not see any "fake" names



Thanks

 Scott Birl                              http://concept.temple.edu/sysadmin/
 Senior Systems Administrator            Computer Services   Temple University
====*====*====*====*====*====*====*====+====*====*====*====*====*====*====*====*


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Need your help!!! chang zhu (Sep 22)
- Re: Need your help!!! Birl (Sep 22)
  - RES: Need your help!!! Pastinha (Sep 23)
- <Possible follow-ups>
- RE: Need your help!!! Tenorio, Leandro (Sep 22)
  - RE: Need your help!!! Dade McHugh (Sep 23)
    - RE: Need your help!!! chang zhu (Sep 23)
  - RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! chang zhu (Sep 22)
- RE: Need your help!!! Meidinger Chris (Sep 23)
  - RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! Virgil Cui (Sep 23)