Security Incidents mailing list archives
Re: Possible Mail server compromise ?
From: "Faas M. Mathiasen" <faas.m.mathiasen () googlemail com>
Date: Wed, 13 Feb 2008 00:41:28 +0100
Dear List, On the 4th of February I posted an message asking a few questions about a possible mail server compromise [1] I had a few good responses and lots of offers for help, some of these messages indirectly lead to the discovery of what really happened. I still choose to remain anonymous for obvious reasons but choose to publish parts of the findings as I feel that some might be as astonished as I was. Please ignore the obvious spelling errors,it's 00:10 over here and I we are all pretty tired as we spend the last days investigating and collecting information, logs, events etc. Here is what we discovered when we correlated all logs, traces, events and upstream data. The data that left the mailserver - were mails - wait... not the way they are supposed to leave, what left our mailserver where gigabytes of mails, no time to go through each of them.. but we supposed nearly all of our emails we stored were compromised. Since we use qmail as mx and exchange as corporate mail server how could this have happened ? During analysis of the event log, we saw several event entries indicating the AV scanner crashed multiple times during several hours before the first huge batch of traffic left the mail server. Nothing spectacular you might say, this happens from time to time, though rarely. This lead us to the idea to simply use the Anti-Virus scanner to rescan the complete in box of all accounts, and then it hit us, suddenly there were outbound requests being initiated. What tried to initiate these requests ? The Anti-Virus scanner.We reran the scans several times and at one particular file the scanner started acting weirdly. What we discovered was an exploit against the AV scanner that was triggered when it scanned the attachment to this particular email... that was not the threat we anticipated. Somebody using a "spoofed" email address send this file to a publicly disclosed email address and as soon as the scanner touched the file it triggered... I thought I had watched a movie. And this is when it hit me pretty bad, we had allowed the Anti-Vris scanner to get the updates from the Internet allowing it access to the internet of course... this was the way the data got out. I am not sure that it would have helped if the updates would have been pushed internally, after all the exchange server sends email that somehow get out to the internet, I guess the way to get out would have just been a bit harder for the attacker. Is anybody aware if this is common knowledge? Who else has seen such an attack ? Are you monitoring your mail servers for such compromises regularly? The name of the Anti-Virus scanner will not be told, exploit might be available up on request, as soon as we analyzed it for content that might reveal specifics about us. Regards, Faas M. Mathiasen CISSP Denmark [1]
Dear List, "We" have noticed a odd traffic pattern emerging from our mail servers, an important amount of data left our network over the mail server. Please understand "we" would like to remain anonymous at this point. We monitored our mail servers for availability and the patch level is as to latest specifications, additionally we have anti-virus software installed on all E-mail servers. Is anybody aware of an unpatched exploit against Exchange Server 2007 ? Is there any other threat we have not taken into consideration ? Do you have recommendations as to how to proceed ? Obviously our mail server hold important information and we can't simply turn them off, though we have procedures on how to respond to incidents we don't have a procedure for this particular case, as our mail server is inside our company, maintained and updated regularly we had no important reason to believe it could be compromised. We are currently investigating and took it off line for a few hours, while installing a new clean server. Regards, Faas M. Mathiasen CISSP Denmark
Current thread:
- Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- RE: Possible Mail server compromise ? Worrell, Brian (Feb 04)
- Re: Possible Mail server compromise ? Jon R. Kibler (Feb 04)
- Re: Possible Mail server compromise ? Tony Maupin (Feb 04)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 05)
- Re: Possible Mail server compromise ? Tony Maupin (Feb 04)
- Message not available
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Message not available
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Re: Possible Mail server compromise ? Gary Baribault (Feb 04)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Re: Possible Mail server compromise ? Michael Loftis (Feb 13)
- Re: Possible Mail server compromise ? Jon Oberheide (Feb 13)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 19)
- Re: Possible Mail server compromise ? Bob Toxen (Feb 19)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 19)
- Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
- Re: Possible Mail server compromise ? Bob Toxen (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
- Re: Possible Mail server compromise ? Eygene Ryabinkin (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)