Exchange 2000 - Port 80

  • Thread starter Thread starter Sam Ramsey
  • Start date Start date
S

Sam Ramsey

I have an Exchange 2000 with all the latest patches and
IIS lockdown loaded. I have a Cisco firewall and allowing
only port 25 and 80 on the outside IP address.

External hackers are connecting to port 80 and accessing
porn sites thru my exchange server. It seems like they are
using my exchange server as proxy server. I am using
Active Ports to monitor the ports on the exchange server
and notice them connecting to port 80. I also have web
monitoring software and notice the traffic to the porn
sites on the exchange server. Is this a known problem with
Exchange 2000? I dont think it is a problem with the
firewall because I need to allow port 80 for OWA.
 
Sam said:
I have an Exchange 2000 with all the latest patches and
IIS lockdown loaded. I have a Cisco firewall and allowing
only port 25 and 80 on the outside IP address.

External hackers are connecting to port 80 and accessing
porn sites thru my exchange server. It seems like they are
using my exchange server as proxy server. I am using
Active Ports to monitor the ports on the exchange server
and notice them connecting to port 80. I also have web
monitoring software and notice the traffic to the porn
sites on the exchange server. Is this a known problem with
Exchange 2000? I dont think it is a problem with the
firewall because I need to allow port 80 for OWA.
Click to expand...

Sam,
You asked this question yesterday and i posted an answer with some more
questions for you about your exact situation and a couple of suggestions.

If you felt that my reply and the other I see you got were not helpful, it
may be better to reply to that thread, explaining why you don't think those
replies are not much use, rather than just posting the same original
question over again.

--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.
 
This is not the same posting. I did some research and now
have better understanding of what is going on. This
posting is more percise then my other posting. I am
appreciate your help and sorry if you are brothered by
this second posting.
 
This is not the same posting. I did some research and now
have better understanding of what is going on. This
posting is more percise then my other posting. I am
appreciate your help and sorry if you are brothered by
this second posting.
Click to expand...

Yes there is some more detail, my apologies. I'll address the new points
below.

I've never seen this as a problem with Exchange 2000. Its not even a problem
with IIS in general in its default state. My thoughts would be about the
general configuration of the machine, what other web apps are running on
this box besides OWA? If you look in the IIS console you should be able to
see all the stuff in your "website" and might spot anything unexpected.

Certainly by default IIS should be keeping logs of every connection, if you
can pinpoint a time you see an attack going on and then review the IIS logs
of web connections at that time you should be able to see exactly what they
are connecting to initially in order to instigate things.

Lastly, I can only repeat my earlier advice about taking this machine out of
active service while you investigate this problem: You know that your box
may have been hacked somehow. You know that you are seeing connections
coming out of it that you dislike. What else might be happening on that
server that you don't yet know about?

--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.
 
Sam Ramsey said:
I have an Exchange 2000 with all the latest patches and
IIS lockdown loaded. I have a Cisco firewall and allowing
only port 25 and 80 on the outside IP address.

External hackers are connecting to port 80 and accessing
porn sites thru my exchange server. It seems like they are
using my exchange server as proxy server. I am using
Active Ports to monitor the ports on the exchange server
and notice them connecting to port 80. I also have web
monitoring software and notice the traffic to the porn
sites on the exchange server. Is this a known problem with
Exchange 2000? I dont think it is a problem with the
firewall because I need to allow port 80 for OWA.
Click to expand...

It *is* a problem with your firewall config.
OWA needs a rule on the firewall to allow *incoming* connections on port
80. As I stated in my earlier reply, there is absolutely no need to allow
outgoing connections from your exchange server where the destination is
port 80.
Block it at your firewall.

Andy.
 
Andrew Mitchell said:
It *is* a problem with your firewall config.
Click to expand...

That should read it is *partially* a problem with the firewall.
There are obviously other problems here but the outgoing port 80 access is
the easiest one to fix.
 
Back
Top