Incidents
Possible Mail server compromise ? Feb 04 2008 06:28PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (3 replies)
Re: Possible Mail server compromise ? Feb 12 2008 11:41PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (3 replies)
Re: Possible Mail server compromise ? Feb 18 2008 07:19PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (2 replies)
Re: Possible Mail server compromise ? Feb 20 2008 02:43AM
Eduardo Tongson (propolice gmail com) (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 07:33PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
Re: Possible Mail server compromise ? Feb 21 2008 02:38AM
Eduardo Tongson (propolice gmail com)
Re: Possible Mail server compromise ? Feb 19 2008 05:35PM
Bob Toxen (vger verysecurelinux com) (2 replies)
Re: Possible Mail server compromise ? Feb 20 2008 02:14AM
Jon Oberheide (jon oberheide org) (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 05:11PM
Valdis Kletnieks vt edu (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 07:25PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 11:07PM
Peter Kosinar (goober ksp sk) (1 replies)
Re: Possible Mail server compromise ? Feb 21 2008 10:49AM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
RE: Possible Mail server compromise ? Feb 22 2008 12:38AM
Richard C Lewis (chad mr-lew com) (1 replies)
Re: Possible Mail server compromise ? Feb 26 2008 04:19PM
Faas M. Mathiasen (faas m mathiasen googlemail com)
Re: Possible Mail server compromise ? Feb 19 2008 06:46PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (3 replies)
Re: Possible Mail server compromise ? Feb 20 2008 02:48PM
Eygene Ryabinkin (rea-sec codelabs ru) (2 replies)
Re: Possible Mail server compromise ? Feb 20 2008 10:59PM
Valdis Kletnieks vt edu (1 replies)
Re: Possible Mail server compromise ? Feb 21 2008 10:31AM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
Re: Possible Mail server compromise ? Feb 21 2008 05:13PM
Paul Schmehl (pauls utdallas edu)
Re: Possible Mail server compromise ? Feb 20 2008 07:10PM
Faas M. Mathiasen (faas m mathiasen googlemail com)
Re: Possible Mail server compromise ? Feb 20 2008 07:05AM
Bob Toxen (vger VerySecureLinux com) (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 07:25PM
Faas M. Mathiasen (faas m mathiasen googlemail com)
Re: Possible Mail server compromise ? Feb 20 2008 01:51AM
Valdis Kletnieks vt edu
Re: Possible Mail server compromise ? Feb 13 2008 09:55AM
Michael Loftis (mloftis wgops com)
Re: Possible Mail server compromise ? Feb 13 2008 05:09AM
Jon Oberheide (jon oberheide org)
Re: Possible Mail server compromise ? Feb 04 2008 07:05PM
Jon R. Kibler (Jon Kibler aset com) (1 replies)
Re: Possible Mail server compromise ? Feb 04 2008 09:39PM
Tony Maupin (tony themaupins com) (1 replies)
Re: Possible Mail server compromise ? Feb 04 2008 09:57PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
Dear Tony,

Thank you for your input, it seems that the "data" was sent FROM the
mail server and the data is not e-mails.
I know that there are "vulnerabilities in Exchange" I was asking if
there are new (0day) vulnerabilities
that have not been patched and can be exploited remotely - from the
outside. We took great care to harden
these servers and they are (of course) not reachable from the "outside".

Please understand that I cannot go into much detail, maybe you are
underestimating our competence,
but your verizon so..obviously you know better. ;)

On Feb 4, 2008 10:39 PM, Tony Maupin <tony (at) themaupins (dot) com [email concealed]> wrote:
> Faas,
>
> I would have to agree with Jon Kibler's response, but would like to
> add that there are vulnerabilities in Exchange that you may be a
> victim of. Most of the time these things happen from other
> processes/applications/vulnerabilities on the internal network that
> are leveraging your mail infrastructure to distribute collateral. You
> should consider engaging a trusted security vendor for professional
> services. This could be something simple, but it could also be a huge
> problem. This doesn't seem to be the core competency of your group and
> some things are better left to those who have the knowledge and
> experience.
>
> Tony Maupin, CISSP, CCNA, CCSA, MCSE, PMP, VCI, ACI, SCSA
> Senior Risk Consultant
> Network & Information Security
>
> Verizon Business Security Solutions Powered by Cybertrust
> U.S. Professional Security Services
> San Antonio, Texas
> Mobile: 210-563-2160
> Tony.Maupin (at) VerizonBusiness (dot) com [email concealed]
> http://www.verizonbusiness.com/us/security/
>
>
>
> On Feb 4, 2008 2:05 PM, Jon R. Kibler <Jon.Kibler (at) aset (dot) com [email concealed]> wrote:
> >
> > Faas M. Mathiasen wrote:
> > > Dear List,
> > > "We" have noticed a odd traffic pattern emerging from our mail
> > > servers, an important amount of data left our network over the mail
> > > server. Please understand "we" would like
> > > to remain anonymous at this point. We monitored our mail servers for
> > > availability and the patch level is as to latest specifications,
> > > additionally we have anti-virus software
> > > installed on all E-mail servers.
> > >
> > > Is anybody aware of an unpatched exploit against Exchange Server 2007 ?
> > > Is there any other threat we have not taken into consideration ?
> > >
> > > Do you have recommendations as to how to proceed ? Obviously our mail
> > > server hold important information and we can't simply turn them off,
> > > though we have procedures on how to respond to incidents we don't have
> > > a procedure for this particular case, as our mail server is inside our
> > > company, maintained and updated regularly we had no important reason
> > > to believe it could be compromised.
> > >
> > > We are currently investigating and took it off line for a few hours,
> > > while installing a new clean server.
> > >
> > > Regards,
> > > Faas M. Mathiasen
> > > CISSP Denmark
> > >
> >
> > The most frequent 'exploit' I see against exchange servers is
> > where users use their business email address and domain login
> > password to register at some web site and either:
> > a) that site gets compromised and those credentials revealed, or
> > b) more likely, someone registered at a pseudo-phishing site
> > (such as 'all the free porn you can view') using their
> > exchange credentials.
> >
> > In either case, the credentials are then used to force the
> > server to send spam, or if the credentials have admin priv, then
> > mangle the server in any way that they please.
> >
> > Regardless of what happened, the best advise I can give is to
> > IMMEDIATELY change ALL user email passwords, and if any were
> > the same as domain passwords, change those too!
> >
> > GOOD LUCK!
> > Jon Kibler
> > --
> > Jon R. Kibler
> > Chief Technical Officer
> > Advanced Systems Engineering Technology, Inc.
> > Charleston, SC USA
> > o: 843-849-8214
> > m: 843-224-2494
> >
> >
> >
> >
> > ==================================================
> > Filtered by: TRUSTEM.COM's Email Filtering Service
> > http://www.trustem.com/
> > No Spam. No Viruses. Just Good Clean Email.
> >
> >
>

[ reply ]
Re: Possible Mail server compromise ? Feb 05 2008 05:49PM
Valdis Kletnieks vt edu
RE: Possible Mail server compromise ? Feb 04 2008 06:58PM
Worrell, Brian (BWorrell isdh IN gov)


 

Privacy Statement
Copyright 2010, SecurityFocus