Exchange Server TechCenter >
Exchange Server Forums
>
Anti-virus/Anti-spam
>
Our Exchange Server 2003 got hacked - Questions
Our Exchange Server 2003 got hacked - Questions
- I work at a school here in Van Nuys, CA. A student seemed to had sent an e-mail out to all members in the Global Address List and also to the class, students, and staff group. Students are not allowed to have the permission of sending to groups. After looking at the security log on the exchange server, the student seemed to have been logging in periodically throughout the day. However, the "Workstation Name" and "Source Network Address" was not in our domain.
Workstation names and network address: (I have X'ed out certain information)
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/13/2009
Time: 12:44:06 PM
User: XXXXXXXXXXXXXXXX
Computer: EMAIL
Description:
Successful Network Logon:
User Name: XXXXXXXXXXXXX
Domain: XXXXXX
Logon ID: (0x0,0x12E2510E)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: reuma-PC
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 148.233.239.23
Source Port: 34472
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/13/2009
Time: 1:03:26 PM
User: XXXXXXXXXXXXXXXXXXXXXX
Computer: EMAIL
Description:
Successful Network Logon:
User Name: XXXXXXXX
Domain: XXXXXXXXXXX
Logon ID: (0x0,0x13052DFD)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SALAMANDRA
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 84.108.90.142
Source Port: 39481
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
What scenarios could there have been to cause this?
What hole could there have been in our system that had caused this?
What can we do to prevent this from happening again?
And IP Tracer tools haven't really helped, are there any other tools we can use?
Any help with would be grateful.
Thank you.
All Replies
- use ip scaner named tool it will show all ip addresses and services ... on your network .... or find LC3 a software that can show network hidden passwords and users .
- Does this student has valid username and password? if you want students to stop sending email to DL's then you need to make dl as restricted.
Vinod |CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3| - i think this student has valid username and password and some how student have access on server .. you must check all gateways .. some servers and routers multiple gateways so, that administrator can access on server with different user identitys ... another way is using win32 trojan rat this virus can be transferred through instant conversation and it will allow read and write user data ... student might use home computer to hack through your network. please check open ports .. hackers will not get inside unless you allow them.
- How do you restrict students from sending mails to the groups?
Under poperties in the groups, in Exchange General, under message restriction
Only From: Teachers and Staff
Is that what you were referring to?
Thanks - For all our internal connections to the servers we have the gateway entered in the TCP/IP.
We have
2 DCs
2 File Servers
1 Exchange
1 School Information Server
1 NAS Backup - Yeah....mmmmm... wellHere is a tip for you...1. Create the account.
2. Create a security group.
3. Populate the security group with the lucky individuals.
4. Run the following from the PS: add-mailboxpermission.
5. Step through the command. The zippy screen shot illustrates this. You can also give it the command on one long string if you can ever figure out the syntax. (I removed the screen shot...)
a. The first identity is the account that is granting the rights.
b. The second identity is the account (in this case an SG) that needs to access/send-as.
6. You could modify this to just fullaccess or just sendas. Also receiveas.
7. Remove-mailboxpermission is the reverse of this process.
Note:
When you grant a user full access permissions to a mailbox, that user has full access to only the mailbox for which the permissions are applied. With full access permissions, the user can open and read the contents of the mailbox. However, the user cannot send as that mailbox without additional permissions.
Add-MailboxPermission "Mailbox" -User "Trusted User" -AccessRights FullAccess
Add-MailboxPermission -Identity "coco mike" -User winHitech -Accessrights Fullaccess -InheritanceType all
Add-ADPermission -Identity "Mailbox Store" -User "Trusted User" -ExtendedRights Receive---------------------------------------------------------Or, you can do this: click exmerge.exe- Create a new user who will be the Exmerge administrator but do not create an Exchange mailbox for that user - call the user "exmerge" and give a strong password
- Add "exmerge" to be a member of the following groups:
- Administrators (not Domain Admins. To give read/write access to the correct Windows files and folders needed for exmerge.exe to run)
- Exchange Domain Servers and
- Exchange Enterprise Servers (to give Receive As permissions on the all of the Information stores, both private and public)
- For each of the Information Stores in Exchange System Manager, (e.g. First Storage Group) right click and on the Security tab, add the user account "exmerge" and give him at least "Receive As" permissions.
- Right click exmerge.exe and select Run As... and enter the credentials of the user "exmerge" or schedule the task exmerge.exe to run under that user account.
...... check for 'Anonymous' user read access to the GAL.Configure permissions with ADSI Edit because there is no tab in the Exchange System Manager. i hope you will be knowing about this..
