Back to list
Re: Possible Mail server compromise ?
Feb 04 2008 09:49PM
Faas M. Mathiasen (faas m mathiasen googlemail com)
The mail server is not reachable from the Internet, I was not speaking
about the MX but our corporate mail server.
On Feb 4, 2008 8:02 PM, Jon R. Kibler <Jon.Kibler (at) aset (dot) com [email concealed]> wrote:
> Faas M. Mathiasen wrote:
> > Dear List,
> > "We" have noticed a odd traffic pattern emerging from our mail
> > servers, an important amount of data left our network over the mail
> > server. Please understand "we" would like
> > to remain anonymous at this point. We monitored our mail servers for
> > availability and the patch level is as to latest specifications,
> > additionally we have anti-virus software
> > installed on all E-mail servers.
> > Is anybody aware of an unpatched exploit against Exchange Server 2007 ?
> > Is there any other threat we have not taken into consideration ?
> > Do you have recommendations as to how to proceed ? Obviously our mail
> > server hold important information and we can't simply turn them off,
> > though we have procedures on how to respond to incidents we don't have
> > a procedure for this particular case, as our mail server is inside our
> > company, maintained and updated regularly we had no important reason
> > to believe it could be compromised.
> > We are currently investigating and took it off line for a few hours,
> > while installing a new clean server.
> > Regards,
> > Faas M. Mathiasen
> > CISSP Denmark
> The most frequent 'exploit' I see against exchange servers is
> where users use their business email address and domain login
> password to register at some web site and either:
> a) that site gets compromised and those credentials revealed, or
> b) more likely, someone registered at a pseudo-phishing site
> (such as 'all the free porn you can view') using their
> exchange credentials.
> In either case, the credentials are then used to force the
> server to send spam, or if the credentials have admin priv, then
> mangle the server in any way that they please.
> Regardless of what happened, the best advise I can give is to
> IMMEDIATELY change ALL user email passwords, and if any were
> the same as domain passwords, change those too!
> GOOD LUCK!
> Jon Kibler
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC USA
> o: 843-849-8214
> m: 843-224-2494
> Filtered by: TRUSTEM.COM's Email Filtering Service
> No Spam. No Viruses. Just Good Clean Email.
[ reply ]
Copyright 2010, SecurityFocus