Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible Mail server compromise ?

From: "Faas M. Mathiasen" <faas.m.mathiasen () googlemail com>
Date: Mon, 4 Feb 2008 22:57:14 +0100
Dear Tony,

Thank you for your input, it seems that the "data" was sent FROM the
mail server and the data is not e-mails.
I know that there are "vulnerabilities in  Exchange" I was asking if
there are new (0day) vulnerabilities
that have not been patched and can be exploited remotely - from the
outside. We took great care to harden
these servers and they are (of course) not reachable from the "outside".

Please understand that I cannot go into much detail, maybe you are
underestimating our competence,
but your verizon so..obviously you know better. ;)

On Feb 4, 2008 10:39 PM, Tony Maupin <tony () themaupins com> wrote:

Faas,

I would have to agree with Jon Kibler's response, but would like to
add that there are vulnerabilities in Exchange that you may be a
victim of. Most of the time these things happen from other
processes/applications/vulnerabilities on the internal network that
are leveraging your mail infrastructure to distribute collateral. You
should consider engaging a trusted security vendor for professional
services. This could be something simple, but it could also be a huge
problem. This doesn't seem to be the core competency of your group and
some things are better left to those who have the knowledge and
experience.

Tony Maupin, CISSP, CCNA, CCSA, MCSE, PMP, VCI, ACI, SCSA
Senior Risk Consultant
Network & Information Security

Verizon Business Security Solutions Powered by Cybertrust
U.S. Professional Security Services
San Antonio, Texas
Mobile: 210-563-2160
Tony.Maupin () VerizonBusiness com
http://www.verizonbusiness.com/us/security/



On Feb 4, 2008 2:05 PM, Jon R. Kibler <Jon.Kibler () aset com> wrote:


Faas M. Mathiasen wrote:

Dear List,
"We" have noticed a odd traffic pattern emerging from our mail
servers, an important amount of data left our network over the mail
server. Please understand "we" would like
to remain anonymous at this point. We monitored our mail servers for
availability and the patch level is as to latest specifications,
additionally we have anti-virus software
 installed on all E-mail servers.

Is anybody aware of an unpatched exploit against Exchange Server 2007  ?
 Is there any other threat we have not taken into consideration ?

Do you have recommendations as to how to proceed ? Obviously our mail
server hold important information and we can't simply turn them off,
though we have procedures on how to respond to incidents we don't have
a procedure for this particular case, as our mail server is inside our
company, maintained and updated regularly we had no important reason
to believe it could be compromised.

We are currently investigating and took it off line for a few hours,
while installing a new clean server.

Regards,
Faas M. Mathiasen
CISSP Denmark



The most frequent 'exploit' I see against exchange servers is
where users use their business email address and domain login
password to register at some web site and either:
a) that site gets compromised and those credentials revealed, or
b) more likely, someone registered at a pseudo-phishing site
    (such as 'all the free porn you can view') using their
    exchange credentials.

In either case, the credentials are then used to force the
server to send spam, or if the credentials have admin priv, then
mangle the server in any way that they please.

Regardless of what happened, the best advise I can give is to
IMMEDIATELY change ALL user email passwords, and if any were
the same as domain passwords, change those too!

GOOD LUCK!
Jon Kibler
--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
m: 843-224-2494




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
Previous By Date Next
Previous By Thread Next

Current thread: