Security Incidents mailing list archives
Re: Possible Mail server compromise ?
From: Gary Baribault <gary () baribault net>
Date: Mon, 04 Feb 2008 18:37:23 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What is the software that you have that supports your public MX ? I assume that it's not Exchange. Gary Baribault CISSP, RHCE, CCNP, MCSE Consultant en sécurité informatique / Computer security consultant Gary Baribault inc. tél: 514-821-6524 Courriel: gary () baribault com GPG Key: 0xEF3EBD1C GPG Fingerprint: 5B1F 899B 4A7C A586 8388 6AFD 796B E68D EF3E 8D1C Faas M. Mathiasen wrote:
Dear Jon, The mail server is not reachable from the Internet, I was not speaking about the MX but our corporate mail server. On Feb 4, 2008 8:02 PM, Jon R. Kibler <Jon.Kibler () aset com> wrote:Faas M. Mathiasen wrote:Dear List, "We" have noticed a odd traffic pattern emerging from our mail servers, an important amount of data left our network over the mail server. Please understand "we" would like to remain anonymous at this point. We monitored our mail servers for availability and the patch level is as to latest specifications, additionally we have anti-virus software installed on all E-mail servers. Is anybody aware of an unpatched exploit against Exchange Server 2007 ? Is there any other threat we have not taken into consideration ? Do you have recommendations as to how to proceed ? Obviously our mail server hold important information and we can't simply turn them off, though we have procedures on how to respond to incidents we don't have a procedure for this particular case, as our mail server is inside our company, maintained and updated regularly we had no important reason to believe it could be compromised. We are currently investigating and took it off line for a few hours, while installing a new clean server. Regards, Faas M. Mathiasen CISSP DenmarkThe most frequent 'exploit' I see against exchange servers is where users use their business email address and domain login password to register at some web site and either: a) that site gets compromised and those credentials revealed, or b) more likely, someone registered at a pseudo-phishing site (such as 'all the free porn you can view') using their exchange credentials. In either case, the credentials are then used to force the server to send spam, or if the credentials have admin priv, then mangle the server in any way that they please. Regardless of what happened, the best advise I can give is to IMMEDIATELY change ALL user email passwords, and if any were the same as domain passwords, change those too! GOOD LUCK! Jon Kibler -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 m: 843-224-2494 ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHp6Gz5BLKxPqBKDURAgi8AJ9EEzbtgn2Nzzd44WmaK/2kE1a20wCgndoU vPoLC1Q+naZb4CCvEGyiWbM= =5kgo -----END PGP SIGNATURE-----
Current thread:
- Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- RE: Possible Mail server compromise ? Worrell, Brian (Feb 04)
- Re: Possible Mail server compromise ? Jon R. Kibler (Feb 04)
- Re: Possible Mail server compromise ? Tony Maupin (Feb 04)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 05)
- Re: Possible Mail server compromise ? Tony Maupin (Feb 04)
- Message not available
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Message not available
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Re: Possible Mail server compromise ? Gary Baribault (Feb 04)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Re: Possible Mail server compromise ? Michael Loftis (Feb 13)
- Re: Possible Mail server compromise ? Jon Oberheide (Feb 13)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 19)
- Re: Possible Mail server compromise ? Bob Toxen (Feb 19)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 19)
- Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
- Re: Possible Mail server compromise ? Bob Toxen (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)