August 29th, 2007, 07:50 AM
How do I handle this...
I currently work for a company that manages the internet connections of about 1200 hotels across the US. My job requires me to answer support calls and do basic troubleshooting on our severs installed in hotels.
When I started working at the company I noticed a large amount of spam coming into our mail boxes from the company exchange server. This of course is annoying and makes my day just a little more misrable then it has to be. I decided to start doing a personal audit of our companys security and found
port 4444 sitting open on our companys exchange server.
Our company runs linux/open bsd on most of its equipment with cisco equipment linking it all. It looks like a solid setup from my probeing but this port really bothers me.
How do I determine exactly what is going on here with the open port on the server... every port list I have consulted says that this is a known port for RATs and if this server has been "owned" then every other server in the network is in trouble. If this really is a problem I need to know how to let my company know in a way which is going to get their attention. The managers I have made aware about this have shown little to no intrest and I think something is being missed.
Anyone been here before?
August 29th, 2007, 09:45 AM
show them some websites with warnings to that port...
or get apacket sniffer and see if anythings going on there....
StreetsCrack.com Join The Best Music Social Network Online.
Music downloads, promotions, forums, profile, games etc...
August 29th, 2007, 09:46 AM
Stick on a packet sniffer (ethereal) and see what traffic is going out over this port, it's source and destination.
Try do disable this port if you are sure nothing legit is using it and see if anyone complains about not being able to do anything.
August 29th, 2007, 11:34 AM
Just close it up, and if no one complains then it's safe to leave closed, but i doubt that there is any valid reason in why it should of been left wide open in the first place..
August 29th, 2007, 12:49 PM
yeah, close it up.
If you want some impact, point out that in recent cases people have been sued over spam and if you have a compromised server you might be next.
If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.
August 29th, 2007, 03:42 PM
What OS? If its XP SP2 or Server 2k3, try from a command prompt: netstat -nab
If its some other windows OS, try downloading Fport from foundstone: Here
Both of these will tell you what program has what port open...keep in mind that if there is a rootkit installed, you may not be able to trust netstat, in which case fport should be used...
This should at least provide a clue as to what has the port open...just at a glance, metasploit defaults to tcp/4444 quite frequently...should definitely look a little harder to see what is going on...
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
August 29th, 2007, 06:13 PM
You may also want to check to make sure that the firewalls are not blocking this port by default. Sure, it may be open "inside" the network, but is it open from "outside" the network is probably a better question.
If it is open from outside the network, then you definetly have a problem.
August 29th, 2007, 10:36 PM
My first thought whenever I see port 4444 open is Metasplolit...almost every payload will use port 4444 for the return shell.
It certainly does not need to be open on an exchange server for normal operation - have you tried to telnet to it and grab a banner - it may give you more of an insight - also try browsing to it with your web browser or even using Xprobe2 or Nmap to try and determine a service.
Either way no legitimate application will use port 4444 due to the stigma that surrounds it.
My guess is that you do not have admin access to the Exchange server so you will be unable to investigate it from a server point of view which only really leaves the options I mentioned above open to you- personally I would recommend you raise this with your domain admin as soon as you can and let him look into it - go direct to the person who is responsible for the mail server instead of your managers as he will have a vested interest in looking after the mail server.......
August 30th, 2007, 02:01 AM
Your are correct is guessing that I don't have admin rights to this box. I had to use wireshark and nmap to find this port and it was done from my computer at home using wireshark via our webmail.
I'm gonna do some research on Metasplolit and see if it helps me figure out more about this.
August 30th, 2007, 05:26 AM
My suggestion is to walk away...
You are probing your company's resources without permission... Depending on your Sys Admins you could find yourself without a job. Depending on where you live you could also be breaking the law...
If you really want to do something about it... Go to an internet cafe, see if the port is available from the internet (or if it's only on the LAN) and send an email from a throw away anonymous email account to the sys admin... Then forget about it.
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
By cheyenne1212 in forum Miscellaneous Security Discussions
Last Post: February 1st, 2012, 02:51 PM
By MrLinus in forum Tech Humor
Last Post: May 28th, 2004, 09:51 AM
By Trust_Not_123 in forum Site Feedback/Questions/Suggestions
Last Post: May 6th, 2003, 05:46 PM
By Cheeseball in forum Other Tutorials Forum
Last Post: January 9th, 2003, 03:39 PM
By Noble Hamlet in forum AntiOnline's General Chit Chat
Last Post: March 17th, 2002, 09:38 AM