On 06/06/2006 05:09 PM, Patrick Beam wrote:
Some more information on my issue. The system is a production server
running exchange for one client. It is a new machine that was
recently built from know good media. It has been firewalled since it
has been built, during the build it was not open to the internet. Once
it was put into our production environment it had the following ports
open to it 25,80,443,143,110.
At this point I think the machine is cleaned. I am just guessing that
the machine was hit by some automated tool. I could kick myself for
not saving the files that I found on the machine and submitting to the
sites suggested by some on the list. I also did not save the registry
keys I found on the system, again another mistake on my part but I was
in a hurry to get the machine back into production. Sadly I wasn't
worried about gathering the information I needed to find out exactly
what happened to the machine.
Thanks for all of the responses I will have to add all of the
suggested steps to a process document on what to do when you find a
machine that has been compromised in some way.
Most POP servers (port 110) that I have seen do not implement delays or
account lockouts when multiple invalid username/password combinations
are attempted, which makes them a perfect target for brute-force
dictionary attacks against your server. The same is often true for IMAP
servers (port 143).
You mention that the machine is an Exchange server, yet it has ports 80
and 443 open. If you have incorrectly installed or not-fully patches web
scripts on there, that might have been a point-of-entry as well.
My â0.02
-Kees
--
Drs. Kees Leune
Researcher Information Security at Tilburg University, Infolab
Phone: +31 13 466 2688 * Email: kees@uvt.nl * Web: http://www.leune.org
signature.asc
Description: OpenPGP digital signature
