Exchange Hacked?

[jbclarkman]

Here is whats going on.

Someone emailed me the other day with just basic info(from me to someone, to me from someone, as well as text from the message) from an email I sent and/or received telling me that I'm insecure.

They won't tell me how they did it. The issue is it was sent to a mailing list and I'm not sure if that person is on it or not.

I'm running windows2000 and exchange 2000 with all the latest patches/service packs for both. Were in a Citrix Enviornment.

The mail server does have an external ip address and port 135 is open because we have customers who pull down there mail from exchange to there local desktop.

Any ideas or any additional information you need let me know. I'm verious anxious to know how they are doing this and such.

[Tiger Shark]

Why don't you enable SSL to the Exchange Server instead of port 135.

[jbclarkman]

not sure why it is setup with port 135 however thats for the exchange guys. I'm just interested in this possible hole.

[Tiger Shark]

Well... Port 135 is much more "attackable" than 443 so it makes it very hard to tell now you might have been compromised...

The question is "were you compromised"?

Did the email leave the exchange server or was it a totally internal email?
Did one of the recipients forward it outside the network, (check your logs - you have logs, right?)

The first thing you need to do is _confirm_ a compromise... Otherwise you will be chasing your tail all day for no reason....

[jbclarkman]

well the email went to an external mailing list for Nessus.
It came in through the mailing list as well.

We have logs but they only go back a couple of days(I'm working on getting a nice log server up but thats in the works and not up yet). Problem is he just sent the email to me today and the email he mentioned was from april 26th :'(. So the logs are long gone.

So I'm not sure if we have been compromised or not. Thats why I'm asking for help cause I know he isn't going to tell me.

Please assist.

[ammo]

Well you say you're all patched but just want to make sure you're patched from the MS05-021 from the 12th of last month since there's a remote code execution exploit availible for it...

Otherwise, you could still be succeptible to ms rpc abuse with port 135 open...

I would also suggest using ssl-imap or ssl-pop3 instead for remote access...


Ammo

[morganlefay]

Wasnt there some virus\worm recently..(past year) that would send you an email stating that you are infected with something or other???


It was a bogus email....notification?


Unless you actually know that person (someone in your contact list)....In our case most were from people I had never heard of.....or someone you are a contact on thier list which is infected... such as people that you may have sent an email to once, or when you forwarded or were forwarded an email joke along with 200 other email addresses....

you will recieve this notification....cause someone outhere that received an email with your email addy on it...got infected....even if you know them or not.....that virus will "spider" through all addy's and send itself out as some kinda virus\sercurity notification

Just thoughts.....

Some things are false positives.

I would do what Tiger Shark suggested and lock down your exchange server.... remove port 135 as an email port...as there are alot of things that take advantage of that port...

and also ..turn up your logging in exchange....to ensure you are not infected. You should be able to track abnormal email volumes...and maybe desern if it is an internal or external problem?
...such as one of your remote users?

kinda wine infected right now and cant remember the exact settings\screens...you know


Anyway...just thoughts..

MLF

[SawPer]

Yeah, like TigerShark said, not good to leave port 135 open!
If you are the network guy you are maybe responsible for the network security as well? I would make that my concern and I would make sure to talk to the Exchange admin(s) and/or your boss about it. There are much better alternatives than leaving 135 open.

Here are a few examples:

1. If you use MS ISA Server, it has special support for using Outlook remotely to the Exchange server.

2. Upgrade to Exchange 2003, and you will have built in support for remote Outlook connectivity. It's called RPC over HTTP(S), which is the way we have it setup. This works great, plus it uses a new feature, Cached Mode, which cuts down a lot of bandwidth! Oh, and another plus using Exchange 2003 is it also supports remote sync for your PDA's!

[jbclarkman]

well the bosses won't close out port 135 and I know were not upgrading to 2003 very soon. The reason it is open is for PDA/BB to be able to sync from the local desktop because this doesn't work well in a citrix enviornment.

Its not a virus because I personally know the person who sent it to me. It happens to be an ex employee. Which brings in alot of other stuff which i have insured he doesn't have access to anything.

but let me know any more thoughts you all might have.

[SawPer]

Could it just be something as simple as this ex-employee was some sort of admin, so he knew others passwords, and now is using someone elses username and password... ?

Or maybe he added his "home" email to one of the mailing lists?