network hacking help!!

neo468neo468 Member Posts: 123
hey guys I have a predator trying to hack into the company network. icon_mad.gif they are sending messages to users as the system administrator saying they need to renew there accounts etc... but dont have the right email adresses except for my account which is the domain a member of the domain controllers group. is there a tool I can use to monitor them, and to trace the location they are hacking from icon_rolleyes.gif ?

the network: a small business server running 2000 (exchange). acting as the primary domain controller. 1 terminal server running 2000 server. and a 2000 sql server. the workstations are running xp pro. the network has a hardware firewall with 2 16 port switches and a router as the gateway to the internet (dsl).
1's and 0's

Comments

  • darkmagicdarkmagic Member Posts: 127
    Did you had a chance to look at the headers ?
    321hahaha.jpg
  • neo468neo468 Member Posts: 123
    no how do I do that
    1's and 0's
  • darkmagicdarkmagic Member Posts: 127
    What's your e-mail program?

    Edit:

    1 <-- If you are using microsoft Outlook: Click Here

    2 <-- If you are using Outlook Express: Click Here
    321hahaha.jpg
  • neo468neo468 Member Posts: 123
    were using outlook 2003
    1's and 0's
  • keatronkeatron Member Posts: 1,213 ■■■■■■□□□□
    First thing is patch your exchange server and lock it down to prevent relaying. Start by going to Microsoft's web site, reading the bulletins I have listed below. Then applying the patches. Reading the bulletins will give you a better understanding of what the attacker is actually doing.

    Microsoft Security Bulletin -- MS02-011 Authentication Flaw Could Allow Unauthorized Users To Authenticate To SMTP Service
    Microsoft Security Bulletin MS99-027 - Encapsulated SMTP Address Vulnerability
    XIMS Messages Sent to Encapsulated SMTP Address Are Rerouted Even Though Rerouting Is Disabled

    go here
    http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3TransnRouting/b218d8a9-8d3a-4c7d-b0a9-c969ee1232f6.mspx

    Follow the reccomendations here which will get you headed in the right direction to keep your exchange server from being used as a relay agent (based on what you've posted this far, it sounds like that might be part of what's going on).

    There is a chance that your admin passwords have been compromised. Change them immediately.

    Is the person actually using the administrator account? Or just claiming that they're the administrator in the emails? (Check your event logs, if you don't have auditing enabled, do this immediately also) Be aware of the fact that auditing everything will create a lot of data, so you will need to determine what you should be auditing.

    What types of security measures do you currently have in place?

    It's already been pointed out to check your headers. Looking at them can usually tell you if relaying is happening.

    This should get you started. Post back as you progress.
  • RussSRussS Member Posts: 2,068 ■■■□□□□□□□
    I had a few clients who have been getting similar emails a few months back. If I am right, what you are experiencing is a phishing attempt and not that you have necessarily been compromised.

    Some very good advice has already been posted, but I would also add that you should google the subject line of the offending email - usually that will give you a good indication if it is a known issue.
    www.supercross.com
    FIM website of the year 2007
  • strauchrstrauchr Member Posts: 528 ■■■□□□□□□□
    I have seen this several times before. Unfortunately there is not much you can do about other than investing in some anti-spam protection.

    Basically its just a massive spam attack. A spammer has got hold of your domain and is just trying to send bulks of e-mails to any address such as bob@yourdomain.com, mary@yourdomain.com etc. So you end up with most of the e-mails not hitting anyone but some do.

    It then gets caught in a cycle because your exchange server tries to reply to the spam and can't because the originating address is false.

    So here is the hard bit. You have to shut down exchange services (easier to do it this way) and delete the menacing messages that have been rejected. they are stored in the bin folder under badmail on you exchange server. You need to delete all files in there which could be thousands.

    You also have to check your exchange queues and delete any messages trying to be sent to or from strange e-mail addresses. Better check to see if they are legit first though.

    This is only from the symptoms your describing I am taking a guess. It could be a virus or some of the things the other guys said. Try it and let me know how you go.
  • neo468neo468 Member Posts: 123
    well I do have a resolution. The company has decided to go ahead and install a new exchange server so at this point I am going to ignore the messages until the data is migrated to the new server, wich will be running 2003. After the server is up and running I will post you, thanks for the help guys I appreciate it. :)
    1's and 0's
  • rossonieri#1rossonieri#1 Member Posts: 799 ■■■□□□□□□□
    neo468 wrote:
    well I do have a resolution. The company has decided to go ahead and install a new exchange server so at this point I am going to ignore the messages until the data is migrated to the new server, wich will be running 2003. After the server is up and running I will post you, thanks for the help guys I appreciate it. :)

    what is the purpose of doing that??
    i think it will be useless - since your domain name still there. the attacker will simply put this (mailto:*.*@yourdomain.any) to your mail server.
    what you need is a security solution that will drop those kind of attack - like messaging gateway security systems... anyone recommend any software??
    the More I know, that is more and More I dont know.
  • RussSRussS Member Posts: 2,068 ■■■□□□□□□□
    The problem with this type of attack is the cost to the business for the data traffic created. We had a client who used up his months internet traffic allowance in 2 days due to the volume of mail coming into his exchange server and the resulting volume of mail being bounced back.

    The first thing we did on day 3 once this was apparent was to stop the return mail by creating a *catch all* account so we only had one way traffic to worry about. We then went a step further by tightening up the firewall and had our *nix guy design a mail filtering system that would not allow mail through unless it was addressed to a valid email account.

    On day 4 we started some serious forensic investigation and tracked the source of the spam down to an unsecured server that was allowing email relay. After contacting the administrator of this server ansd getting a response that was worse than useless we had his IP address put on a black list - we then contacted his ISP and he was closed down.
    www.supercross.com
    FIM website of the year 2007
  • neo468neo468 Member Posts: 123
    The new exchange server is not a result of the attacks but has been schedule to be done this week. Several weeks ago. All the workstations were upgraded last week. The malicious emails began yesterday. So as soon as the new server is up and running I will do what you guys recommended.
    1's and 0's
Sign In or Register to comment.