Exchange 2000

[Sam Ramsey]

I have Exchange 2000 with all the latest patches and IIS
lockdown loaded. I also have a Cisco PIX firewall with
only port 25 and 80 available on the outside ip address of
the exchange box.

I just loaded a web monitoring software for our network
and noticed that exchange box is going to porn web sites
all day long. I thought it might be monitoring email
traffic, but that is not case. I assuming some hacker is
exploiting a vulnerability in Exchange 2000. Possibly IIS
and port 80 or 25? Is there anything I do about this?

 

[Robert Moir]

I have Exchange 2000 with all the latest patches and IIS
lockdown loaded. I also have a Cisco PIX firewall with
only port 25 and 80 available on the outside ip address of
the exchange box.

I just loaded a web monitoring software for our network
and noticed that exchange box is going to porn web sites
all day long. I thought it might be monitoring email
traffic, but that is not case. I assuming some hacker is
exploiting a vulnerability in Exchange 2000. Possibly IIS
and port 80 or 25? Is there anything I do about this?

I think the first thing you need to do is to figure out exactly what is
going on. No one is going to be able to say what you should do about "this"
until we all have a better idea of precisely what "this" is.

If you are convinced that the box has been compromised, I would suggest the
"other" first thing to do is to disconnect it from the network while doing
so. Keep in mind that if someone has compromised an exchange server then
they possibly have all kinds of access to things that most businesses would
like to keep confidential. I realise that will probably be an unpopular
decision but I do strongly suggest it because the costs of hackers being
able to access your corporate network and possibly even read emails can be
limitless.

Are there any records of *what* is connecting to these porn sites all day
from the exchange box? Any signs on the box itself (history trails, etc?).

Are you certain it isn't someone internal to your network who has maybe
access to this system (is it running Terminal services? In an area others
besides you can access physically?) and is well aware that you are
monitoring web access? If you are just about to say "no" to the question
about people using it this way then would you stake your job on the answer?

--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.

 

[Andrew Mitchell]

I have Exchange 2000 with all the latest patches and IIS
lockdown loaded. I also have a Cisco PIX firewall with
only port 25 and 80 available on the outside ip address of
the exchange box.

I just loaded a web monitoring software for our network
and noticed that exchange box is going to porn web sites
all day long. I thought it might be monitoring email
traffic, but that is not case. I assuming some hacker is
exploiting a vulnerability in Exchange 2000. Possibly IIS
and port 80 or 25? Is there anything I do about this?

Why is the exchange/IIS server being allowed out on port 80 in the first
place? It has no need for web access and should be blocked at the firewall.
Firewalls aren't just usefull for keeping the baddies out, they are also
useful for stopping stuff escaping your network that has no need to.
Setup a web proxy (with authentication) and only allow traffic from the
proxy server IP out through the firewall on port 80.

Regards
Andy.

 

[HG]

Andy,

Just wondering...is this the same case if you want to use OWA on the
Exchange?

Thanks
GX

 

[Andrew Mitchell]

Andy,

Just wondering...is this the same case if you want to use OWA on the
Exchange?

Yes. OWA requires incoming port 80, not outgoing. You only need outgoing port
80 if you are planning on browsing the web from your server(not recommended)
or have a service like SUS running on the same box.


Andy.