Incidents
Possible Mail server compromise ? Feb 04 2008 06:28PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (3 replies)
Re: Possible Mail server compromise ? Feb 12 2008 11:41PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (3 replies)
Re: Possible Mail server compromise ? Feb 18 2008 07:19PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (2 replies)
Re: Possible Mail server compromise ? Feb 20 2008 02:43AM
Eduardo Tongson (propolice gmail com) (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 07:33PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
Re: Possible Mail server compromise ? Feb 21 2008 02:38AM
Eduardo Tongson (propolice gmail com)
Re: Possible Mail server compromise ? Feb 19 2008 05:35PM
Bob Toxen (vger verysecurelinux com) (2 replies)
Re: Possible Mail server compromise ? Feb 20 2008 02:14AM
Jon Oberheide (jon oberheide org) (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 05:11PM
Valdis Kletnieks vt edu (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 07:25PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 11:07PM
Peter Kosinar (goober ksp sk) (1 replies)
Re: Possible Mail server compromise ? Feb 21 2008 10:49AM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
RE: Possible Mail server compromise ? Feb 22 2008 12:38AM
Richard C Lewis (chad mr-lew com) (1 replies)
Re: Possible Mail server compromise ? Feb 26 2008 04:19PM
Faas M. Mathiasen (faas m mathiasen googlemail com)
Re: Possible Mail server compromise ? Feb 19 2008 06:46PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (3 replies)
Re: Possible Mail server compromise ? Feb 20 2008 02:48PM
Eygene Ryabinkin (rea-sec codelabs ru) (2 replies)
Re: Possible Mail server compromise ? Feb 20 2008 10:59PM
Valdis Kletnieks vt edu (1 replies)
Re: Possible Mail server compromise ? Feb 21 2008 10:31AM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
Re: Possible Mail server compromise ? Feb 21 2008 05:13PM
Paul Schmehl (pauls utdallas edu)
Re: Possible Mail server compromise ? Feb 20 2008 07:10PM
Faas M. Mathiasen (faas m mathiasen googlemail com)
Re: Possible Mail server compromise ? Feb 20 2008 07:05AM
Bob Toxen (vger VerySecureLinux com) (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 07:25PM
Faas M. Mathiasen (faas m mathiasen googlemail com)
Re: Possible Mail server compromise ? Feb 20 2008 01:51AM
Valdis Kletnieks vt edu
Re: Possible Mail server compromise ? Feb 13 2008 09:55AM
Michael Loftis (mloftis wgops com)
Re: Possible Mail server compromise ? Feb 13 2008 05:09AM
Jon Oberheide (jon oberheide org)
Re: Possible Mail server compromise ? Feb 04 2008 07:05PM
Jon R. Kibler (Jon Kibler aset com) (1 replies)
Re: Possible Mail server compromise ? Feb 04 2008 09:39PM
Tony Maupin (tony themaupins com) (1 replies)
Faas,

I would have to agree with Jon Kibler's response, but would like to
add that there are vulnerabilities in Exchange that you may be a
victim of. Most of the time these things happen from other
processes/applications/vulnerabilities on the internal network that
are leveraging your mail infrastructure to distribute collateral. You
should consider engaging a trusted security vendor for professional
services. This could be something simple, but it could also be a huge
problem. This doesn't seem to be the core competency of your group and
some things are better left to those who have the knowledge and
experience.

Tony Maupin, CISSP, CCNA, CCSA, MCSE, PMP, VCI, ACI, SCSA
Senior Risk Consultant
Network & Information Security

Verizon Business Security Solutions Powered by Cybertrust
U.S. Professional Security Services
San Antonio, Texas
Mobile: 210-563-2160
Tony.Maupin (at) VerizonBusiness (dot) com [email concealed]
http://www.verizonbusiness.com/us/security/

On Feb 4, 2008 2:05 PM, Jon R. Kibler <Jon.Kibler (at) aset (dot) com [email concealed]> wrote:
>
> Faas M. Mathiasen wrote:
> > Dear List,
> > "We" have noticed a odd traffic pattern emerging from our mail
> > servers, an important amount of data left our network over the mail
> > server. Please understand "we" would like
> > to remain anonymous at this point. We monitored our mail servers for
> > availability and the patch level is as to latest specifications,
> > additionally we have anti-virus software
> > installed on all E-mail servers.
> >
> > Is anybody aware of an unpatched exploit against Exchange Server 2007 ?
> > Is there any other threat we have not taken into consideration ?
> >
> > Do you have recommendations as to how to proceed ? Obviously our mail
> > server hold important information and we can't simply turn them off,
> > though we have procedures on how to respond to incidents we don't have
> > a procedure for this particular case, as our mail server is inside our
> > company, maintained and updated regularly we had no important reason
> > to believe it could be compromised.
> >
> > We are currently investigating and took it off line for a few hours,
> > while installing a new clean server.
> >
> > Regards,
> > Faas M. Mathiasen
> > CISSP Denmark
> >
>
> The most frequent 'exploit' I see against exchange servers is
> where users use their business email address and domain login
> password to register at some web site and either:
> a) that site gets compromised and those credentials revealed, or
> b) more likely, someone registered at a pseudo-phishing site
> (such as 'all the free porn you can view') using their
> exchange credentials.
>
> In either case, the credentials are then used to force the
> server to send spam, or if the credentials have admin priv, then
> mangle the server in any way that they please.
>
> Regardless of what happened, the best advise I can give is to
> IMMEDIATELY change ALL user email passwords, and if any were
> the same as domain passwords, change those too!
>
> GOOD LUCK!
> Jon Kibler
> --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC USA
> o: 843-849-8214
> m: 843-224-2494
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>
>

[ reply ]
Re: Possible Mail server compromise ? Feb 04 2008 09:57PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
Re: Possible Mail server compromise ? Feb 05 2008 05:49PM
Valdis Kletnieks vt edu
RE: Possible Mail server compromise ? Feb 04 2008 06:58PM
Worrell, Brian (BWorrell isdh IN gov)


 

Privacy Statement
Copyright 2010, SecurityFocus