RE: Possible Mail server compromise ?

["Worrell, Brian" <BWorrell () isdh IN gov>]

Faas,

Are you sure that it was started by your Exchange server, and not a
workstation on the network?  How detailed do you have your Exchange
logging set too at this point?

Also by taking it off line, does this mean you rebooted it, or just took
it off the network?  

I personally do not know of any Exchange 2007 bugs, but never would bet
on anything being perfect.  How is your Server?  Anything else on the
server seem odd?  

Hope that helps some.  

-----Original Message-----
From: Faas M. Mathiasen [mailto:faas.m.mathiasen () googlemail com] 
Sent: Monday, February 04, 2008 1:28 PM
To: forensics () securityfocus com; incidents () securityfocus com
Subject: Possible Mail server compromise ?

Dear List,
"We" have noticed a odd traffic pattern emerging from our mail servers,
an important amount of data left our network over the mail server.
Please understand "we" would like to remain anonymous at this point. We
monitored our mail servers for availability and the patch level is as to
latest specifications, additionally we have anti-virus software
installed on all E-mail servers.

Is anybody aware of an unpatched exploit against Exchange Server 2007  ?
 Is there any other threat we have not taken into consideration ?

Do you have recommendations as to how to proceed ? Obviously our mail
server hold important information and we can't simply turn them off,
though we have procedures on how to respond to incidents we don't have a
procedure for this particular case, as our mail server is inside our
company, maintained and updated regularly we had no important reason to
believe it could be compromised.

We are currently investigating and took it off line for a few hours,
while installing a new clean server.

Regards,
Faas M. Mathiasen
CISSP Denmark