I have been receiving email notifications from our ISP stating that malicious email messages are being sent from the IP address of our Exchange server. Since that time, I have regularly been checking the queue on our Exchange server for anything suspicious. Today I noticed four messages in the queue, each 1Kb in size, sent from the same user to obscure domains at random times throughout the day.
-The Exchange server is enabled to relay for two internal IP addresses.
-the check box for "Allow all computers that successfully authenticate..." is not checked.
-Anonymous access, basic authentication, and Integrated Windows authentication are all selected.
I cannot seem to figure this out. Where should I start looking to resolve this issue?
4  1656 
1) unplug the internet connection from the exchange server so that you don't spam anyone, and your ISP doesn't disconnect you
2) determine if you want to spend the money for forensic analysis, or just reinstall
3) when you finally decide to reinstall (with or without the forensic analysis) ensure you 'harden' your server, specifically for Exchange.
4) take the time to configure, and then take more time to tune, a log management system so that you'll be informed of suspicious activity
So you are saying the only manner in which to resolve this issue properly is to completely reinstall everything on the Exchange server? I appreciate the response, but I would also appreciate someone confirming that this is common practice. This feels like the equivalent of reformatting a desktop every time you have an issue.
If this were a normal issue and not an intrusion, that would be a good analogy of reinstalling at every issue.
However, when a server is compromised - as yours sounds like it has been (sending email not authorized by your company) - you can spend a LOT of time and money into forensic analysis and remediation to figure out what was compromised on what level (it's on the box, so they have access to your exchange server, you know it's gotten into your DMZ at least), and then use tools that are not guaranteed to remove them, some that can be extremely destructive. This takes time, it can take money, and can be done very poorly very easily.
Or, you can reinstall and wipe out whatever malicious programs were installed; and use a server hardening guide to remove the 'most common' attack vectors. It all depends on how big your business is and how much you want to know what the IP address is of the person who did it.
I'd recommend pulling the plug while you decide, but then also exporting 1) a backup of the mail files to hard media (a CD or something - I'm considered paranoid, but I don't like moving something that may be corrupt onto another PC to get infected), and also exporting the Windows Log Files so that you can take a look at them and try to get an idea of where/when/how the intrusion happened.
Hmmm, there might be one thing to check before you do all that - did you look at the ID sending these emails, and who created those users? Make sure it wasn't someone in your company?
That would be the initial forensic analysis - figure out what account got compromised, then you can figure out roughly when that happened and then by looking at the system events how it happened (hopefully, depending on your logging levels).
Sign in to post your reply or Sign up for a free account.
Similar topics
by: sherkozmo |
last post by:
I have my SQL 7.0 server set for Mixed security. I see now (finally)
the advantages of having windows authentication security for windows
groups.
I do most of my developing in Access Projects...
|
by: Hakan Akkas |
last post by:
Hello all,
I need to build a search engine wherewith users can query huge Xml
Documents (+/- 100 MB) in a user friendly way. The searcher shouldn't
be aware of the underlying structure of the...
|
by: RA |
last post by:
Hi
I use ASP.net with c#. The web application is hosted by a web host provider.
The application gets user information for order processing. The information
should be moved from one aspx page to...
|
by: Sam |
last post by:
Hi,
I have installed .NET but the ASPNET account, which I need to add to virtual
directories in order to get ASP.NET applications to work, is not on the
computer. I've checked everywhere and it...
|
by: boy |
last post by:
I got the following error message when I access the web application, in which
the web application use SPPI to connect to database.
"Login failed for user '(null)'. Reason: Not associated with a...
|
by: Chad |
last post by:
Sorry, I'm a newbie to the Dot Net world.
I've been downloading web application samples from the Internet to help me
learn, but when I use Visual Studio 2003 to open SOME of the projects, I get...
|
by: wackyphill |
last post by:
I'd like to grant a WIndows account permission to connect to a db and
exec stored procedures. But am having trouble.
I want this type of effect but can't get the syntax correct:
USE MyDB
GO...
|
by: brig |
last post by:
Hi, I am new to sql, so I apologize in advance. I wrote a procedure which calls a function. (I am not sure if the procedure will work yet). MY question is on the function. I am not sure I wrote it...
|
by: =?Utf-8?B?aGZkZXY=?= |
last post by:
Hello,
I have a web application that makes use of the SQL Membership and Role
providers. My app has admin screens to manage users (membership), roles, and
supplementary user data. I have just...
|
by: Abhijit Taur |
last post by:
hi
i am using vb.net 2005
i have created an login exe
from that exe i call another exe(application)
here i want userid to be passed to that other exe
which is currently logged to that exe
so...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |
