Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Possible Mail server compromise ?

from [Faas M. Mathiasen] Network Security [Permanent Link]
Subject: Re: Possible Mail server compromise ?
Date: Mon, 4 Feb 2008 22:49:29 +0100 
Dear Jon,
The mail server is not reachable from the Internet, I was not speaking
about the MX but our corporate mail server.

On Feb 4, 2008 8:02 PM, Jon R. Kibler <Jon.Kibler@aset.com> wrote:


Faas M. Mathiasen wrote:

Dear List,
"We" have noticed a odd traffic pattern emerging from our mail
servers, an important amount of data left our network over the mail
server. Please understand "we" would like
to remain anonymous at this point. We monitored our mail servers for
availability and the patch level is as to latest specifications,
additionally we have anti-virus software
 installed on all E-mail servers.

Is anybody aware of an unpatched exploit against Exchange Server 2007  ?
 Is there any other threat we have not taken into consideration ?

Do you have recommendations as to how to proceed ? Obviously our mail
server hold important information and we can't simply turn them off,
though we have procedures on how to respond to incidents we don't have
a procedure for this particular case, as our mail server is inside our
company, maintained and updated regularly we had no important reason
to believe it could be compromised.

We are currently investigating and took it off line for a few hours,
while installing a new clean server.

Regards,
Faas M. Mathiasen
CISSP Denmark



The most frequent 'exploit' I see against exchange servers is
where users use their business email address and domain login
password to register at some web site and either:
a) that site gets compromised and those credentials revealed, or
b) more likely, someone registered at a pseudo-phishing site
    (such as 'all the free porn you can view') using their
    exchange credentials.

In either case, the credentials are then used to force the
server to send spam, or if the credentials have admin priv, then
mangle the server in any way that they please.

Regardless of what happened, the best advise I can give is to
IMMEDIATELY change ALL user email passwords, and if any were
the same as domain passwords, change those too!

GOOD LUCK!
Jon Kibler
--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
m: 843-224-2494




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Possible Mail server compromise ?, Tony Maupin
Next by Date:  Re: Possible Mail server compromise ?, Faas M. Mathiasen
Previous by Thread:  Re: Possible Mail server compromise ?, Valdis . Kletnieks
Next by Thread:  Re: Possible Mail server compromise ?, Faas M. Mathiasen
Indexes:  [Date] [Thread] [Top] [All Lists]