Security Incidents mailing list archives
Re: Compromised Windows Server
From: Kees Leune <C.J.Leune () uvt nl>
Date: Wed, 07 Jun 2006 16:10:42 +0200
On 06/06/2006 05:09 PM, Patrick Beam wrote:
Some more information on my issue. The system is a production server running exchange for one client. It is a new machine that was recently built from know good media. It has been firewalled since it has been built, during the build it was not open to the internet. Once it was put into our production environment it had the following ports open to it 25,80,443,143,110. At this point I think the machine is cleaned. I am just guessing that the machine was hit by some automated tool. I could kick myself for not saving the files that I found on the machine and submitting to the sites suggested by some on the list. I also did not save the registry keys I found on the system, again another mistake on my part but I was in a hurry to get the machine back into production. Sadly I wasn't worried about gathering the information I needed to find out exactly what happened to the machine. Thanks for all of the responses I will have to add all of the suggested steps to a process document on what to do when you find a machine that has been compromised in some way.
Most POP servers (port 110) that I have seen do not implement delays or account lockouts when multiple invalid username/password combinations are attempted, which makes them a perfect target for brute-force dictionary attacks against your server. The same is often true for IMAP servers (port 143). You mention that the machine is an Exchange server, yet it has ports 80 and 443 open. If you have incorrectly installed or not-fully patches web scripts on there, that might have been a point-of-entry as well. My €0.02 -Kees -- Drs. Kees Leune Researcher Information Security at Tilburg University, Infolab Phone: +31 13 466 2688 * Email: kees () uvt nl * Web: http://www.leune.org
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Compromised Windows Server Patrick Beam (Jun 05)
- Re: Compromised Windows Server Jamie Riden (Jun 05)
- Re: Compromised Windows Server pauls (Jun 05)
- Re: Compromised Windows Server Jason Ross (Jun 05)
- Re: Compromised Windows Server Axel Pettinger (Jun 06)
- Re: Compromised Windows Server Harlan Carvey (Jun 06)
- Re: Compromised Windows Server Patrick Beam (Jun 06)
- Re: Compromised Windows Server Kees Leune (Jun 07)
- Re: Compromised Windows Server Isaac Perez (Jun 06)
- Re: Compromised Windows Server Macleonard Starkey (Jun 06)
- <Possible follow-ups>
- Re: Re: Compromised Windows Server wnorth (Jun 05)
- Re: Compromised Windows Server Butterworth, Jim (Jun 06)
- Re: Compromised Windows Server ross (Jun 06)
- RE: Compromised Windows Server Alan Davies (Jun 08)
- Re: Compromised Windows Server df (Jun 08)