On 06/06/2006 05:09 PM, Patrick Beam wrote: > Some more information on my issue. The system is a production server > running exchange for one client. It is a new machine that was > recently built from know good media. It has been firewalled since it > has been built, during the build it was not open to the internet. Once > it was put into our production environment it had the following ports > open to it 25,80,443,143,110. > > At this point I think the machine is cleaned. I am just guessing that > the machine was hit by some automated tool. I could kick myself for > not saving the files that I found on the machine and submitting to the > sites suggested by some on the list. I also did not save the registry > keys I found on the system, again another mistake on my part but I was > in a hurry to get the machine back into production. Sadly I wasn't > worried about gathering the information I needed to find out exactly > what happened to the machine. > > Thanks for all of the responses I will have to add all of the > suggested steps to a process document on what to do when you find a > machine that has been compromised in some way. Most POP servers (port 110) that I have seen do not implement delays or account lockouts when multiple invalid username/password combinations are attempted, which makes them a perfect target for brute-force dictionary attacks against your server. The same is often true for IMAP servers (port 143).
You mention that the machine is an Exchange server, yet it has ports 80 and 443 open. If you have incorrectly installed or not-fully patches web scripts on there, that might have been a point-of-entry as well. My €0.02 -Kees -- Drs. Kees Leune Researcher Information Security at Tilburg University, Infolab Phone: +31 13 466 2688 * Email: [EMAIL PROTECTED] * Web: http://www.leune.org
signature.asc
Description: OpenPGP digital signature
