Incidents
Possible Mail server compromise ? Feb 04 2008 06:28PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (3 replies)
Re: Possible Mail server compromise ? Feb 12 2008 11:41PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (3 replies)
Dear List,
On the 4th of February I posted an message asking a few questions
about a possible mail server compromise [1]
I had a few good responses and lots of offers for help, some of these
messages indirectly lead to the discovery
of what really happened.

I still choose to remain anonymous for obvious reasons but choose to
publish parts of the findings as I feel that some might be as
astonished as I was. Please ignore the obvious spelling errors,it's
00:10 over here and I we are all pretty tired as we spend the last
days investigating and collecting information, logs, events etc.

Here is what we discovered when we correlated all logs, traces, events
and upstream data. The data that left the mailserver - were mails -
wait... not the way they are supposed to leave, what left our
mailserver where gigabytes of mails, no time to go through each of
them.. but we supposed nearly all of our emails we stored were
compromised. Since we use qmail as mx and exchange as corporate mail
server how could this have happened ?

During analysis of the event log, we saw several event entries
indicating the AV scanner crashed multiple times during several hours
before the first huge batch of traffic left the mail server. Nothing
spectacular you might say, this happens from time to time, though
rarely. This lead us to the idea to simply use the Anti-Virus scanner
to rescan the complete in box of all accounts, and then it hit us,
suddenly there were outbound requests being initiated. What tried to
initiate these requests ? The Anti-Virus scanner.We reran the scans
several times and at one particular file the scanner started acting
weirdly. What we discovered was an exploit against the AV scanner
that was triggered when it scanned the attachment to this particular
email... that was not the threat we anticipated. Somebody using a
"spoofed" email address send this file to a publicly disclosed email
address and as soon as the scanner touched the file it triggered... I
thought I had watched a movie. And this is when it hit me pretty bad,
we had allowed the Anti-Vris scanner to get the updates from the
Internet allowing it access to the internet of course... this was the
way the data got out. I am not sure that it would have helped if the
updates would have been pushed internally, after all the exchange
server sends email that somehow get out to the internet, I guess the
way to get out would have just been a bit harder for the attacker.

Is anybody aware if this is common knowledge? Who else has seen such
an attack ? Are you monitoring your mail servers for such compromises
regularly? The name of the Anti-Virus scanner will not be told,
exploit might be available up on request, as soon as we analyzed it
for content that might reveal specifics
about us.

Regards,
Faas M. Mathiasen
CISSP Denmark

[1]
> Dear List,
> "We" have noticed a odd traffic pattern emerging from our mail
> servers, an important amount of data left our network over the mail
> server. Please understand "we" would like
> to remain anonymous at this point. We monitored our mail servers for
> availability and the patch level is as to latest specifications,
> additionally we have anti-virus software
> installed on all E-mail servers.
>
> Is anybody aware of an unpatched exploit against Exchange Server 2007 ?
> Is there any other threat we have not taken into consideration ?
>
> Do you have recommendations as to how to proceed ? Obviously our mail
> server hold important information and we can't simply turn them off,
> though we have procedures on how to respond to incidents we don't have
> a procedure for this particular case, as our mail server is inside our
> company, maintained and updated regularly we had no important reason
> to believe it could be compromised.
>
> We are currently investigating and took it off line for a few hours,
> while installing a new clean server.
>
> Regards,
> Faas M. Mathiasen
> CISSP Denmark
>

[ reply ]
Re: Possible Mail server compromise ? Feb 18 2008 07:19PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (2 replies)
Re: Possible Mail server compromise ? Feb 20 2008 02:43AM
Eduardo Tongson (propolice gmail com) (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 07:33PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
Re: Possible Mail server compromise ? Feb 21 2008 02:38AM
Eduardo Tongson (propolice gmail com)
Re: Possible Mail server compromise ? Feb 19 2008 05:35PM
Bob Toxen (vger verysecurelinux com) (2 replies)
Re: Possible Mail server compromise ? Feb 20 2008 02:14AM
Jon Oberheide (jon oberheide org) (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 05:11PM
Valdis Kletnieks vt edu (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 07:25PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 11:07PM
Peter Kosinar (goober ksp sk) (1 replies)
Re: Possible Mail server compromise ? Feb 21 2008 10:49AM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
RE: Possible Mail server compromise ? Feb 22 2008 12:38AM
Richard C Lewis (chad mr-lew com) (1 replies)
Re: Possible Mail server compromise ? Feb 26 2008 04:19PM
Faas M. Mathiasen (faas m mathiasen googlemail com)
Re: Possible Mail server compromise ? Feb 19 2008 06:46PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (3 replies)
Re: Possible Mail server compromise ? Feb 20 2008 02:48PM
Eygene Ryabinkin (rea-sec codelabs ru) (2 replies)
Re: Possible Mail server compromise ? Feb 20 2008 10:59PM
Valdis Kletnieks vt edu (1 replies)
Re: Possible Mail server compromise ? Feb 21 2008 10:31AM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
Re: Possible Mail server compromise ? Feb 21 2008 05:13PM
Paul Schmehl (pauls utdallas edu)
Re: Possible Mail server compromise ? Feb 20 2008 07:10PM
Faas M. Mathiasen (faas m mathiasen googlemail com)
Re: Possible Mail server compromise ? Feb 20 2008 07:05AM
Bob Toxen (vger VerySecureLinux com) (1 replies)
Re: Possible Mail server compromise ? Feb 20 2008 07:25PM
Faas M. Mathiasen (faas m mathiasen googlemail com)
Re: Possible Mail server compromise ? Feb 20 2008 01:51AM
Valdis Kletnieks vt edu
Re: Possible Mail server compromise ? Feb 13 2008 09:55AM
Michael Loftis (mloftis wgops com)
Re: Possible Mail server compromise ? Feb 13 2008 05:09AM
Jon Oberheide (jon oberheide org)
Re: Possible Mail server compromise ? Feb 04 2008 07:05PM
Jon R. Kibler (Jon Kibler aset com) (1 replies)
Re: Possible Mail server compromise ? Feb 04 2008 09:39PM
Tony Maupin (tony themaupins com) (1 replies)
Re: Possible Mail server compromise ? Feb 04 2008 09:57PM
Faas M. Mathiasen (faas m mathiasen googlemail com) (1 replies)
Re: Possible Mail server compromise ? Feb 05 2008 05:49PM
Valdis Kletnieks vt edu
RE: Possible Mail server compromise ? Feb 04 2008 06:58PM
Worrell, Brian (BWorrell isdh IN gov)


 

Privacy Statement
Copyright 2010, SecurityFocus