Re: Compromised Windows Server

[Kees Leune <C.J.Leune () uvt nl>]

On 06/06/2006 05:09 PM, Patrick Beam wrote:
> Some more information on my issue.  The system is a production server
> running exchange for one client.  It is a new machine that was
> recently built from know good media.  It has been firewalled since it
> has been built, during the build it was not open to the internet. Once
> it was put into our production environment it had the following ports
> open to it 25,80,443,143,110.
>
> At this point I think the machine is cleaned. I am just guessing that
> the machine was hit by some automated tool.  I could kick myself for
> not saving the files that I found on the machine and submitting to the
> sites suggested by some on the list.  I also did not save the registry
> keys I found on the system, again another mistake on my part but I was
> in a hurry to get the machine back into production. Sadly I  wasn't
> worried about gathering the information I needed to find out exactly
> what happened to the machine.
>
> Thanks for all of the responses I will have to add all of the
> suggested steps to a process document on what to do when you find a
> machine that has been compromised in some way.
Most POP servers (port 110) that I have seen do not implement delays or
account lockouts when multiple invalid username/password combinations
are attempted, which makes them a perfect target for brute-force
dictionary attacks against your server. The same is often true for IMAP
servers (port 143).

You mention that the machine is an Exchange server, yet it has ports 80
and 443 open. If you have incorrectly installed or not-fully patches web
scripts on there, that might have been a point-of-entry as well.

My €0.02

-Kees

-- 
Drs. Kees Leune 
Researcher Information Security at Tilburg University, Infolab 
Phone: +31 13 466 2688 * Email: kees () uvt nl * Web: http://www.leune.org

Attachment: signature.asc
Description: OpenPGP digital signature