Questions

Hijacked Exchange Server

Tags:
+
0 Votes
Locked

Hijacked Exchange Server

pilot80
My Exchange Server is sending spam from unrecognized address. I can see different IPs logging in and out, mostly from Europe.
How can I stop this?
We are being blacklisted...
  • +
    0 Votes

    re:

    Churdoo

    Make sure you don't have any blank or weak passwords, and read this article.
    http://support.microsoft.com/kb/895853

    If you post back more questions, include your exchange server version and service pack.

    +
    0 Votes
    pilot80

    I have followed this KB
    Still I get someone connecting from foreign IPs
    Do you know how to setup the Exchange server so that only domain users can send emails?
    Exchange Server 2007 SP1

    +
    0 Votes
    bart777

    Go into the properties of your SMTP virtual server in the Exchange Server Manager.

    Look for the relay button on the access tab. make sure that there are no open relays. This is a sure fire way to let people hijack you and get you blacklisted.

    You can also go into the connection area and add these IP addresses to the do not allow list.

    Best of luck

    +
    0 Votes
    pilot80

    The IP address changes constantly
    It seems they connect to the server through port 0 (as per the log)
    If I try to open relay, it says it cannot open relay on port 25.
    Can there be a relay on port 0 forwarding to 25?
    I am so lost with this

    +
    0 Votes

    Log

    pilot80

    There is a copy of the last smtop log

    #Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port time-taken
    2007-11-12 15:46:38 88.229.197.11 dsl88-229-50443.ttnet.net.tr SMTPSVC1 SBSERVER 192.168.11.11 0 312
    2007-11-12 15:46:38 88.229.197.11 dsl88-229-50443.ttnet.net.tr SMTPSVC1 SBSERVER 192.168.11.11 0 0
    2007-11-12 15:46:44 88.229.197.11 dsl88-229-50443.ttnet.net.tr SMTPSVC1 SBSERVER 192.168.11.11 0 5000
    2007-11-12 15:46:44 88.229.197.11 dsl88-229-50443.ttnet.net.tr SMTPSVC1 SBSERVER 192.168.11.11 0 0
    2007-11-12 15:46:51 88.229.197.11 dsl88-229-50443.ttnet.net.tr SMTPSVC1 SBSERVER 192.168.11.11 0 0

    +
    0 Votes
    Churdoo

    In that case, I would block that whole network from accessing the server. Looking up 88.229.197.11 on arin.net returns that IP as belonging to 88.0.0.0-88.255.255.255 in the Netherlands (what a surprise!).

    So I would go into the Exchange Server SMTP virtual server properties and deny access by that entire range and restart SMTP. That should let things settle down long enough for you to complete damage control.

    +
    0 Votes
    pilot80

    Though unfortunately, this was just one instance with one IP I pasted.
    There are so many different IP ranges logging in, it's unbelievable. It's coming from all over Europe

    +
    0 Votes
    Kjell_Andorsen

    Instead of disallowing specific IPs or even IP ranges the smart thing to do is to block anyone that's not part of your internal IP range.

    +
    0 Votes

    Log

    pilot80

    I included new log with the method:
    it shows RCPT 250:
    Does that mean they are using relay to login?
    If so how come the port is 0?
    And then how come when I try to relay it gives me 550 error?

    #Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method sc-status sc-bytes cs-bytes time-taken cs-host cs(User-Agent)
    2007-11-12 17:00:05 200.106.75.211 esquema SMTPSVC1 SBSERVER 192.168.11.11 0 HELO 250 47 12 2266 - -
    2007-11-12 17:00:05 200.106.75.211 esquema SMTPSVC1 SBSERVER 192.168.11.11 0 MAIL 250 59 46 0 - -
    2007-11-12 17:00:05 200.106.75.211 esquema SMTPSVC1 SBSERVER 192.168.11.11 0 RCPT 250 0 30 15 - -
    2007-11-12 17:00:05 200.106.75.211 esquema SMTPSVC1 SBSERVER 192.168.11.11 0 RCPT 250 0 28 0 - -
    2007-11-12 17:00:05 200.106.75.211 esquema SMTPSVC1 SBSERVER 192.168.11.11 0 RCPT 250 0 32 16 - -
    2007-11-12 17:00:05 200.106.75.211 esquema SMTPSVC1 SBSERVER 192.168.11.11 0 RCPT 250 0 33 0 - -
    2007-11-12 17:00:06 200.106.75.211 esquema SMTPSVC1 SBSERVER 192.168.11.11 0 DATA 250 122 1088 234 - -
    2007-11-12 17:00:06 200.106.75.211 esquema SMTPSVC1 SBSERVER 192.168.11.11 0 QUIT 240 67 4 0 - -

    +
    0 Votes
    TheVirtualOne

    do us all a favor and take it offline.
    you've been hacked!

    you might as well use your time setting up a new server rather than trying to figure this one out!

    Its all about time and money. You need to keep this thing from blacklisting you everywhere.

    +
    0 Votes
    pilot80

    I guess I will get an Email Security Appliance or a Firewall.
    That should solve the problem

    +
    0 Votes
    Kjell_Andorsen

    These appliances are very useful and well worth the price. My personal favorites are Barracuda and Ironport, both are easy to set up, easy to manage and will make your life much easier.

    +
    0 Votes
    pilot80

    We just bought an Ironport
    Maybe I need a firewall??

    +
    0 Votes
    Kjell_Andorsen

    The Ironport for all intents and purposes will act as a firewall for your e-mail. Of course it's wise to have a regular old firewall to protect your network as well .

  • +
    0 Votes

    re:

    Churdoo

    Make sure you don't have any blank or weak passwords, and read this article.
    http://support.microsoft.com/kb/895853

    If you post back more questions, include your exchange server version and service pack.

    +
    0 Votes
    pilot80

    I have followed this KB
    Still I get someone connecting from foreign IPs
    Do you know how to setup the Exchange server so that only domain users can send emails?
    Exchange Server 2007 SP1

    +
    0 Votes
    bart777

    Go into the properties of your SMTP virtual server in the Exchange Server Manager.

    Look for the relay button on the access tab. make sure that there are no open relays. This is a sure fire way to let people hijack you and get you blacklisted.

    You can also go into the connection area and add these IP addresses to the do not allow list.

    Best of luck

    +
    0 Votes
    pilot80

    The IP address changes constantly
    It seems they connect to the server through port 0 (as per the log)
    If I try to open relay, it says it cannot open relay on port 25.
    Can there be a relay on port 0 forwarding to 25?
    I am so lost with this

    +
    0 Votes

    Log

    pilot80

    There is a copy of the last smtop log

    #Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port time-taken
    2007-11-12 15:46:38 88.229.197.11 dsl88-229-50443.ttnet.net.tr SMTPSVC1 SBSERVER 192.168.11.11 0 312
    2007-11-12 15:46:38 88.229.197.11 dsl88-229-50443.ttnet.net.tr SMTPSVC1 SBSERVER 192.168.11.11 0 0
    2007-11-12 15:46:44 88.229.197.11 dsl88-229-50443.ttnet.net.tr SMTPSVC1 SBSERVER 192.168.11.11 0 5000
    2007-11-12 15:46:44 88.229.197.11 dsl88-229-50443.ttnet.net.tr SMTPSVC1 SBSERVER 192.168.11.11 0 0
    2007-11-12 15:46:51 88.229.197.11 dsl88-229-50443.ttnet.net.tr SMTPSVC1 SBSERVER 192.168.11.11 0 0

    +
    0 Votes
    Churdoo

    In that case, I would block that whole network from accessing the server. Looking up 88.229.197.11 on arin.net returns that IP as belonging to 88.0.0.0-88.255.255.255 in the Netherlands (what a surprise!).

    So I would go into the Exchange Server SMTP virtual server properties and deny access by that entire range and restart SMTP. That should let things settle down long enough for you to complete damage control.

    +
    0 Votes
    pilot80

    Though unfortunately, this was just one instance with one IP I pasted.
    There are so many different IP ranges logging in, it's unbelievable. It's coming from all over Europe

    +
    0 Votes
    Kjell_Andorsen

    Instead of disallowing specific IPs or even IP ranges the smart thing to do is to block anyone that's not part of your internal IP range.

    +
    0 Votes

    Log

    pilot80

    I included new log with the method:
    it shows RCPT 250:
    Does that mean they are using relay to login?
    If so how come the port is 0?
    And then how come when I try to relay it gives me 550 error?

    #Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method sc-status sc-bytes cs-bytes time-taken cs-host cs(User-Agent)
    2007-11-12 17:00:05 200.106.75.211 esquema SMTPSVC1 SBSERVER 192.168.11.11 0 HELO 250 47 12 2266 - -
    2007-11-12 17:00:05 200.106.75.211 esquema SMTPSVC1 SBSERVER 192.168.11.11 0 MAIL 250 59 46 0 - -
    2007-11-12 17:00:05 200.106.75.211 esquema SMTPSVC1 SBSERVER 192.168.11.11 0 RCPT 250 0 30 15 - -
    2007-11-12 17:00:05 200.106.75.211 esquema SMTPSVC1 SBSERVER 192.168.11.11 0 RCPT 250 0 28 0 - -
    2007-11-12 17:00:05 200.106.75.211 esquema SMTPSVC1 SBSERVER 192.168.11.11 0 RCPT 250 0 32 16 - -
    2007-11-12 17:00:05 200.106.75.211 esquema SMTPSVC1 SBSERVER 192.168.11.11 0 RCPT 250 0 33 0 - -
    2007-11-12 17:00:06 200.106.75.211 esquema SMTPSVC1 SBSERVER 192.168.11.11 0 DATA 250 122 1088 234 - -
    2007-11-12 17:00:06 200.106.75.211 esquema SMTPSVC1 SBSERVER 192.168.11.11 0 QUIT 240 67 4 0 - -

    +
    0 Votes
    TheVirtualOne

    do us all a favor and take it offline.
    you've been hacked!

    you might as well use your time setting up a new server rather than trying to figure this one out!

    Its all about time and money. You need to keep this thing from blacklisting you everywhere.

    +
    0 Votes
    pilot80

    I guess I will get an Email Security Appliance or a Firewall.
    That should solve the problem

    +
    0 Votes
    Kjell_Andorsen

    These appliances are very useful and well worth the price. My personal favorites are Barracuda and Ironport, both are easy to set up, easy to manage and will make your life much easier.

    +
    0 Votes
    pilot80

    We just bought an Ironport
    Maybe I need a firewall??

    +
    0 Votes
    Kjell_Andorsen

    The Ironport for all intents and purposes will act as a firewall for your e-mail. Of course it's wise to have a regular old firewall to protect your network as well .