Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Need your help!!!

From: Dade McHugh <dmchugh () sungardfutures com>
Date: 23 Sep 2003 10:30:03 +1000
firstly do a "netstat -ano" (tells you what process id is running the
open port) and kill the process, track down the exe and send the file
(and a discription of what it did) to symantec or mcafee (they like
looking a beasties like this...) It may not be a virus but they should
know about it...

Now the bad news... you have a compromised system! rebuild the box from
scratch (follow mickeysofts how to rebuild an exchange server), BUT
DONOT put the HTTP and HTTPS services on it! put these on a box in the
DMZ not the internal LAN, If you can... put a SMTP relay in the DMZ as
well (for only your domain!!! don't install open relays) and allow that
to forward email to your internal email server. on the DMZ box disable
all services that it does not need... I have not added all the things
you need to do to "harden" a box (as I don't have time) but the above
should make your enviro a little more secure...

remember the following with the internet; NEVER put internal servers on
the internet; NEVER have services you don't need running on internet
servers, ALWAY stop DMZ boxes from accessing your internal LAN.


P.S. You now have to change all your passwords! Even the director that
has NEVER changed his password from "qwerty".

If after this you are still spamming, call a (good) security consultant
he/she will audit the userID and machines on your network and find the
backdoor that the cracker used to access you network again... 



-----Original Message-----
From: chang zhu [mailto:cyz2000 () yahoo com] 
Sent: Saturday, September 20, 2003 12:20 PM
To: security-basics () securityfocus com
Subject: Need your help!!!

Hi, all

Some people connect to my exchange 2000 server every day and sent all
spams out.  When I go to current sessions under SMTP protols and default
SMTP virtual server from exchange system manager, I can see these
people's connections and IP address (no domain name shown up and only
fake name and IP shows).  I do not know how to block them.  This is
exchange 2000 server with SP3 and behind PIX firewall.  We only open
port 25, 443 and 80 for this exch 2k server on PIX. MX reocrd points to
this server. If I use NMAP to scan this box internally, here are ports
open:

25/tcp     open        smtp                    
80/tcp     open        http                    
110/tcp    open        pop-3                   
119/tcp    open        nntp                    
135/tcp    open        loc-srv                 
139/tcp    open        netbios-ssn             
143/tcp    open        imap2                   
443/tcp    open        https                   
445/tcp    open        microsoft-ds            
563/tcp    open        snews                   
593/tcp    open        http-rpc-epmap          
691/tcp    open        resvc                   
993/tcp    open        imaps                   
995/tcp    open        pop3s                   
3372/tcp   open        msdtc                   
3389/tcp   open        ms-term-serv            
6000/tcp   open        X11                     
6001/tcp   open        X11:1    
6003/tcp   open        X11:3                   
6005/tcp   open        X11:5                   
7001/tcp   open        afs3-callback           
8081/tcp   open        blackice-icecap 

x11?

When I do netstat -na, the followings shown on the part of result;

TCP    127.0.0.1:25           127.0.0.1:54441       
TIME_WAIT
TCP    127.0.0.1:25           127.0.0.1:54898       
TIME_WAIT
TCP    127.0.0.1:25           127.0.0.1:54904       
TIME_WAIT
TCP    127.0.0.1:25           127.0.0.1:54914       
TIME_WAIT
TCP    127.0.0.1:25           127.0.0.1:54916       
TIME_WAIT
TCP    127.0.0.1:25           127.0.0.1:54988       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54433       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54434       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54442       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54443       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54444       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54445       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54446       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54454       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54890       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54893       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54903       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54911       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54913       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54915       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54917       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54918       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54919       
TIME_WAIT
TCP    127.0.0.100:25         127.0.0.100:54905     
TIME_WAIT
TCP    127.0.0.100:25         127.0.0.100:54912     
TIME_WAIT
TCP    127.0.1.50:25          127.0.1.50:54456      
TIME_WAIT

THis server is not an open relay server and how spammers can connect
this server to send all spams out from different domain address?

Due to limited experience, I am not able to tackle it down.  Many
anti-spam company put our sever on their lists.  I ask them to send me
report that indicated all spams truly went out through my server from
mail header info.

I need to resolve this ASAP and any suggestion or solutions will be
greatly appreciated.


Thanks for all your attention and help,

Chang


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----



______________________________________________________________________

From: "Tenorio, Leandro" <ltenorio () intelaction com>
To: incidents () securityfocus com
Subject: RE: NDRs from spamming
Date: 19 Sep 2003 13:42:36 -0300

      Thanks Romulo for your summary, a very good practice.
I want to add a note, if you can block the Subnets at routing level instead of firewall level, will keep your 
firewall log files more clean, or at least check firewall logs for other suspicius activity. It´s common to hide an 
attack with a lot of "noise".



-----Original Message-----
From: Romulo M. Cholewa [mailto:rmc () rmc eti br] 
Sent: Friday, September 19, 2003 7:37 AM
To: incidents () securityfocus com
Subject: RES: NDRs from spamming

Hi All (again),

I would like to thank you for all the replies I received. I would like to write down a summary of what I've found so 
far about this issue:

 Identification
As you all mentioned, this kind of "behaviour" is a well-known procedure called "joe-jobbing", and it appears to be a 
common spammer attack (if they don't like you maybe you get such a gift), and a way to relay spam (sort of). I really 
don't know what triggered the attack, as it seems to be a targeted one. Maybe I have a close "friend' that is a big 
spammer, go figure.

http://www.cmsconnect.com/Praetor/RNDR/prRNDR.htm

 Side Effects
There are some strange and unfortunate results:

1. spam blocking
Since you will start sending out lots of NDRs to domains out there, you may get blocked by misconfigured anti-spam 
tools. They might be triggered by the amount of email you are sending them, or just because your email server use to 
attach the original message (so message content scanning anti-spam tools might be triggered as well). Also, instead 
of analyzing the headers to find out the originating smtp server, some anti-spam tools might be configured to block 
looking for the MX of the @domain.com in the from: field (bad). This is generally worse when someone "smart enough" 
submit your IP to a well-known blackhole list (even "smarter" if they block you based on NDRs). You will probably 
sort things out, but it will take some time.

2. bandwidth
By default, your mail server will issue a NDR for each NDR it receives, since the mailbox from: names are random. 
This will probably double the amount of traffic. IF you are short on bandwidth or server power, it might be an issue, 
since these attacks usually generate 10000 NDR mails a day per domain - double that if you have NDRs enabled - 
multiply by n domains if you are an ISP or host mail servers.

 What can be done
There are some things you might do to easy the pain. It probably won't solve the problem, but might get the side 
effects under a manageable threshold.

1. temporarily disable NDRs
This would cut in half the amount of traffic and server load generaded by the NDRs you receive.

2. track down and block offending SMTP servers Received lots of messages about this, and it appears to be an 
effective counter-measure. Blocking IP subnets like 218.70.0.0/255.255.0.0 211.158.32.0/255.255.248.0 
211.158.80.0/255.255.248.0 211.170.0.0 / 219.0.0.0 / 61.30.0.0 (Thanks Justin / Leandro) really reduced the amount of 
NDRs received. DON'T forget to block secondary, terciary, etc., smtp servers, or the NDRs might simply be delivered 
to them anyway.

Thanks again.

Regards,

Romulo M. Cholewa
Home : http://www.rmc.eti.br
PGP Keys Available @ website.




Hi there,

I've noticed some increasing activity in our postmaster account since 2 weeks ago. We are receiving lots of NDRs from 
hundreds of non-existent "pseudo" email addresses. I found out that spammers are using our domain to fill up the from 
address (like creating random mailbox/user names and appending the @domain.com to the address).

In theory, this should not be a real concern, since the worst case cenario would be receiving lots of NDRs. But in 
fact, some strange things are happening.

First, the amount of NDRs are compromising our bandwidth (yes, the NDRs are in the thousands a day already).

Second, some stupid (or badly configured) anti-spam systems are blocking my mail server based on the email address 
(easily forged). Before the question is raised, no, our server is not accepting mails as an open relay, so the 
messages are not being originated here.

So, I would like to ask if this is a known issue. If it is, are there any counter-measures that could be taken ?

If it is not, I think it would be nice to issue an advisory, or at least a best-practice about configuring anti-spam 
tools, to NOT blackhole other mail servers based solely on from address fields, that can be easily forged.

Any info on this matter would be greatly appreciated.

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the world's premier technical IT security event.  Modeled after the famous Black Hat event in Las Vegas! 6 
tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------




______________________________________________________________________

---------------------------------------------------------------------------
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: