Incidents
Compromised Windows Server Jun 05 2006 07:27PM
Patrick Beam (patrick beam gmail com) (8 replies)
Re: Compromised Windows Server Jun 07 2006 02:19AM
Macleonard Starkey (macleonard auscert org au)
Re: Compromised Windows Server Jun 06 2006 03:20PM
Isaac Perez (suscripcions tsolucio com)
Re: Compromised Windows Server Jun 06 2006 03:09PM
Patrick Beam (patrick beam gmail com) (1 replies)
Re: Compromised Windows Server Jun 07 2006 02:10PM
Kees Leune (C J Leune uvt nl)
On 06/06/2006 05:09 PM, Patrick Beam wrote:
> Some more information on my issue. The system is a production server
> running exchange for one client. It is a new machine that was
> recently built from know good media. It has been firewalled since it
> has been built, during the build it was not open to the internet. Once
> it was put into our production environment it had the following ports
> open to it 25,80,443,143,110.
>
> At this point I think the machine is cleaned. I am just guessing that
> the machine was hit by some automated tool. I could kick myself for
> not saving the files that I found on the machine and submitting to the
> sites suggested by some on the list. I also did not save the registry
> keys I found on the system, again another mistake on my part but I was
> in a hurry to get the machine back into production. Sadly I wasn't
> worried about gathering the information I needed to find out exactly
> what happened to the machine.
>
> Thanks for all of the responses I will have to add all of the
> suggested steps to a process document on what to do when you find a
> machine that has been compromised in some way.
Most POP servers (port 110) that I have seen do not implement delays or
account lockouts when multiple invalid username/password combinations
are attempted, which makes them a perfect target for brute-force
dictionary attacks against your server. The same is often true for IMAP
servers (port 143).

You mention that the machine is an Exchange server, yet it has ports 80
and 443 open. If you have incorrectly installed or not-fully patches web
scripts on there, that might have been a point-of-entry as well.

My â?¬0.02

-Kees

--
Drs. Kees Leune
Researcher Information Security at Tilburg University, Infolab
Phone: +31 13 466 2688 * Email: kees (at) uvt (dot) nl [email concealed] * Web: http://www.leune.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEht5i8la0fC+6NiARArv1AJ9SjwkiHlniB5dFtpnGVD4kxd78qwCffAq2
4DeIxBlrxR6CvNGV+7UOrcI=
=1Fi7
-----END PGP SIGNATURE-----

[ reply ]
Re: Compromised Windows Server Jun 06 2006 11:32AM
Harlan Carvey (keydet89 yahoo com)
Re: Compromised Windows Server Jun 06 2006 08:09AM
Axel Pettinger (api worldonline de)
Re: Compromised Windows Server Jun 06 2006 02:39AM
Jason Ross (algorythm gmail com)
Re: Compromised Windows Server Jun 06 2006 02:38AM
pauls utdallas edu
Re: Compromised Windows Server Jun 06 2006 02:12AM
Jamie Riden (jamesr europe com)


 

Privacy Statement
Copyright 2010, SecurityFocus