network hacking help!!

hey guys I have a predator trying to hack into the company network.

they are sending messages to users as the system administrator saying they need to renew there accounts etc... but dont have the right email adresses except for my account which is the domain a member of the domain controllers group. is there a tool I can use to monitor them, and to trace the location they are hacking from

?

the network: a small business server running 2000 (exchange). acting as the primary domain controller. 1 terminal server running 2000 server. and a 2000 sql server. the workstations are running xp pro. the network has a hardware firewall with 2 16 port switches and a router as the gateway to the internet (dsl).

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

darkmagic

Did you had a chance to look at the headers ?

neo468

no how do I do that

darkmagic

What's your e-mail program?

Edit:

1 <-- If you are using microsoft Outlook: Click Here

2 <-- If you are using Outlook Express: Click Here

neo468

were using outlook 2003

keatron

First thing is patch your exchange server and lock it down to prevent relaying. Start by going to Microsoft's web site, reading the bulletins I have listed below. Then applying the patches. Reading the bulletins will give you a better understanding of what the attacker is actually doing.

Microsoft Security Bulletin -- MS02-011 Authentication Flaw Could Allow Unauthorized Users To Authenticate To SMTP Service
Microsoft Security Bulletin MS99-027 - Encapsulated SMTP Address Vulnerability
XIMS Messages Sent to Encapsulated SMTP Address Are Rerouted Even Though Rerouting Is Disabled

go here
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3TransnRouting/b218d8a9-8d3a-4c7d-b0a9-c969ee1232f6.mspx

Follow the reccomendations here which will get you headed in the right direction to keep your exchange server from being used as a relay agent (based on what you've posted this far, it sounds like that might be part of what's going on).

There is a chance that your admin passwords have been compromised. Change them immediately.

Is the person actually using the administrator account? Or just claiming that they're the administrator in the emails? (Check your event logs, if you don't have auditing enabled, do this immediately also) Be aware of the fact that auditing everything will create a lot of data, so you will need to determine what you should be auditing.

What types of security measures do you currently have in place?

It's already been pointed out to check your headers. Looking at them can usually tell you if relaying is happening.

This should get you started. Post back as you progress.

RussS

I had a few clients who have been getting similar emails a few months back. If I am right, what you are experiencing is a phishing attempt and not that you have necessarily been compromised.

Some very good advice has already been posted, but I would also add that you should google the subject line of the offending email - usually that will give you a good indication if it is a known issue.

strauchr

I have seen this several times before. Unfortunately there is not much you can do about other than investing in some anti-spam protection.

Basically its just a massive spam attack. A spammer has got hold of your domain and is just trying to send bulks of e-mails to any address such as bob@yourdomain.com, mary@yourdomain.com etc. So you end up with most of the e-mails not hitting anyone but some do.

It then gets caught in a cycle because your exchange server tries to reply to the spam and can't because the originating address is false.

So here is the hard bit. You have to shut down exchange services (easier to do it this way) and delete the menacing messages that have been rejected. they are stored in the bin folder under badmail on you exchange server. You need to delete all files in there which could be thousands.

You also have to check your exchange queues and delete any messages trying to be sent to or from strange e-mail addresses. Better check to see if they are legit first though.

This is only from the symptoms your describing I am taking a guess. It could be a virus or some of the things the other guys said. Try it and let me know how you go.

neo468

well I do have a resolution. The company has decided to go ahead and install a new exchange server so at this point I am going to ignore the messages until the data is migrated to the new server, wich will be running 2003. After the server is up and running I will post you, thanks for the help guys I appreciate it.

rossonieri#1

neo468 wrote:

well I do have a resolution. The company has decided to go ahead and install a new exchange server so at this point I am going to ignore the messages until the data is migrated to the new server, wich will be running 2003. After the server is up and running I will post you, thanks for the help guys I appreciate it.

what is the purpose of doing that??
i think it will be useless - since your domain name still there. the attacker will simply put this (mailto:*.*@yourdomain.any) to your mail server.
what you need is a security solution that will drop those kind of attack - like messaging gateway security systems... anyone recommend any software??

RussS

The problem with this type of attack is the cost to the business for the data traffic created. We had a client who used up his months internet traffic allowance in 2 days due to the volume of mail coming into his exchange server and the resulting volume of mail being bounced back.

The first thing we did on day 3 once this was apparent was to stop the return mail by creating a *catch all* account so we only had one way traffic to worry about. We then went a step further by tightening up the firewall and had our *nix guy design a mail filtering system that would not allow mail through unless it was addressed to a valid email account.

On day 4 we started some serious forensic investigation and tracked the source of the spam down to an unsecured server that was allowing email relay. After contacting the administrator of this server ansd getting a response that was worse than useless we had his IP address put on a black list - we then contacted his ISP and he was closed down.

neo468

The new exchange server is not a result of the attacks but has been schedule to be done this week. Several weeks ago. All the workstations were upgraded last week. The malicious emails began yesterday. So as soon as the new server is up and running I will do what you guys recommended.