Security Basics mailing list archives
RE: Need your help!!!
From: chang zhu <cyz2000 () yahoo com>
Date: Tue, 23 Sep 2003 07:07:15 -0700 (PDT)
Hi, all Thanks for all you help. When I use tcpview, the process cmdsrvr.exe is are running port 6001, 6002 and 6003. I killed this process. It seems that this look like reverse NDR attack. Meanwhile, I disabled the NDR. Also, I got the IP address range which I can block on the PIX. Any other consideration or suggestions will be greatly appreciated. Thank you so much! Chang --- Dade McHugh <dmchugh () sungardfutures com> wrote:
firstly do a "netstat -ano" (tells you what process id is running the open port) and kill the process, track down the exe and send the file (and a discription of what it did) to symantec or mcafee (they like looking a beasties like this...) It may not be a virus but they should know about it... Now the bad news... you have a compromised system! rebuild the box from scratch (follow mickeysofts how to rebuild an exchange server), BUT DONOT put the HTTP and HTTPS services on it! put these on a box in the DMZ not the internal LAN, If you can... put a SMTP relay in the DMZ as well (for only your domain!!! don't install open relays) and allow that to forward email to your internal email server. on the DMZ box disable all services that it does not need... I have not added all the things you need to do to "harden" a box (as I don't have time) but the above should make your enviro a little more secure... remember the following with the internet; NEVER put internal servers on the internet; NEVER have services you don't need running on internet servers, ALWAY stop DMZ boxes from accessing your internal LAN. P.S. You now have to change all your passwords! Even the director that has NEVER changed his password from "qwerty". If after this you are still spamming, call a (good) security consultant he/she will audit the userID and machines on your network and find the backdoor that the cracker used to access you network again...-----Original Message----- From: chang zhu [mailto:cyz2000 () yahoo com] Sent: Saturday, September 20, 2003 12:20 PM To: security-basics () securityfocus com Subject: Need your help!!! Hi, all Some people connect to my exchange 2000 serverevery day and sent allspams out. When I go to current sessions underSMTP protols and defaultSMTP virtual server from exchange system manager,I can see thesepeople's connections and IP address (no domainname shown up and onlyfake name and IP shows). I do not know how toblock them. This isexchange 2000 server with SP3 and behind PIXfirewall. We only openport 25, 443 and 80 for this exch 2k server onPIX. MX reocrd points tothis server. If I use NMAP to scan this boxinternally, here are portsopen: 25/tcp open smtp 80/tcp open http 110/tcp open pop-3 119/tcp open nntp 135/tcp open loc-srv 139/tcp open netbios-ssn 143/tcp open imap2 443/tcp open https 445/tcp open microsoft-ds 563/tcp open snews 593/tcp open http-rpc-epmap 691/tcp open resvc 993/tcp open imaps 995/tcp open pop3s 3372/tcp open msdtc 3389/tcp open ms-term-serv 6000/tcp open X11 6001/tcp open X11:1 6003/tcp open X11:3 6005/tcp open X11:5 7001/tcp open afs3-callback 8081/tcp open blackice-icecap x11? When I do netstat -na, the followings shown on thepart of result;TCP 127.0.0.1:25 127.0.0.1:54441TIME_WAIT TCP 127.0.0.1:25 127.0.0.1:54898TIME_WAIT TCP 127.0.0.1:25 127.0.0.1:54904TIME_WAIT TCP 127.0.0.1:25 127.0.0.1:54914TIME_WAIT TCP 127.0.0.1:25 127.0.0.1:54916TIME_WAIT TCP 127.0.0.1:25 127.0.0.1:54988TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54433TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54434TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54442TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54443TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54444TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54445TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54446TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54454TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54890TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54893TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54903TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54911TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54913TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54915TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54917TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54918TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54919TIME_WAIT TCP 127.0.0.100:25 127.0.0.100:54905TIME_WAIT TCP 127.0.0.100:25 127.0.0.100:54912TIME_WAIT TCP 127.0.1.50:25 127.0.1.50:54456TIME_WAIT THis server is not an open relay server and howspammers can connectthis server to send all spams out from differentdomain address?Due to limited experience, I am not able to tackleit down. Manyanti-spam company put our sever on their lists. Iask them to send mereport that indicated all spams truly went outthrough my server frommail header info. I need to resolve this ASAP and any suggestion orsolutions will begreatly appreciated. Thanks for all your attention and help,
=== message truncated === __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Need your help!!! chang zhu (Sep 22)
- Re: Need your help!!! Birl (Sep 22)
- RES: Need your help!!! Pastinha (Sep 23)
- <Possible follow-ups>
- RE: Need your help!!! Tenorio, Leandro (Sep 22)
- RE: Need your help!!! Dade McHugh (Sep 23)
- RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! Dade McHugh (Sep 23)
- RE: Need your help!!! chang zhu (Sep 22)
- RE: Need your help!!! Meidinger Chris (Sep 23)
- RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! Virgil Cui (Sep 23)
- Re: Need your help!!! Birl (Sep 22)