none
i have been hacked ( i think... )

    Question

  • I came to work tody and found close to 4000 thousand messages from System Administrator in my Inbox. All of the messages show as "Undeliverable", they are addressed to various recepients and all originate from *@usa.gov. Needles to say that's not my domain. My queues are full and messages are still coming. What to do? Does anyone have a good "list of things to do" in a situation like this? What to look for, where to look, etc. All I can say is that relaying is not allowed (at least not from the IP these e-mail are coming from). Also, can someone point me to a good "best practices" for securing exchange. Any and all help is appreciated...
    Monday, February 04, 2008 3:29 PM

All replies

  • It may not be as bad as you think.  Its possible someone just sent alot of junk, forging their "from" address.

     

    http://forum.spamcop.net/scwik/JoeJob

     

    This is how pretty much most spam works.

     

    BUT: it could also be as bad as you think.  look through your firewall logs.  also, if you had them enabled, look through your exchange smtp logs.  run a scan on your exchange server as well.  but with out additional evidence, i wouldn't assume you've been hacked.

    Monday, February 04, 2008 4:05 PM

  • Thanks for your response. I'll do as you suggested. In the meantime here is the header for one of the messages that I got:

    ==================================================================================
    Microsoft Mail Internet Headers Version 2.0
    X-Antivirus-Status: Clean
    thread-index: AchnP9XDGx/zbivdTKas8SP9gBz68g==
    X-Antivirus: avast! 4 for MS SMTP Server 2000
    From: <postmaster@mydomain.com>
    Content-Transfer-Encoding: 7bit
    To: <refund@usa.gov>
    Content-Class: urn:content-classes:message
    Date: Mon, 4 Feb 2008 10:08:44 -0500
    Importance: normal
    Priority: normal
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
    MIME-Version: 1.0
    Content-Type: multipart/report;
        boundary="9B095B5ADSN=_01C8666A1449392E00002C0Email.mydomain";
        report-type=delivery-status
    X-DSNContext: 7ce717b1 - 1140 - 00000001 - 00000000
    Message-ID: <YG6jj69EH00000f29@mail.mydomain.com>
    Subject: Delivery Status Notification (Failure)

    --9B095B5ADSN=_01C8666A1449392E00002C0Email.mydomain
    Content-Transfer-Encoding: 7bit
    Content-Type: text/plain;
        charset="unicode-1-1-utf-7"

    --9B095B5ADSN=_01C8666A1449392E00002C0Email.mydomain
    Content-Transfer-Encoding: 7bit
    Content-Type: message/delivery-status

    --9B095B5ADSN=_01C8666A1449392E00002C0Email.mydomain
    Content-Transfer-Encoding: 7bit
    Content-Type: message/rfc822

    thread-index: AchnP9XFKd8yI3xvTcGeGTBxr0cs7Q==
    Received: from User ([151.12.152.26]) by mail.mydomain.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 4 Feb 2008 08:14:19 -0500
    Reply-To: <no_reply@usa.gov>
    From: "Internal Revenue Service U.S.A" <refund@usa.gov>
    Subject: Important Message From IRS
    Date: Mon, 4 Feb 2008 14.13.36 +0100
    MIME-Version: 1.0
    Content-Class: urn:content-classes:message
    Importance: normal
    Priority: normal
    Content-Type: text/html;
        charset="Windows-1251"
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
    Bcc:
    Return-Path: <refund@usa.gov>
    Message-ID: <EXEXEXCFj2AhGwEUJlW000000d1@mail.mydomain.com>
    X-OriginalArrivalTime: 04 Feb 2008 13:14:19.0500 (UTC) FILETIME=[D9C8D2C0:01C8672F]

    --9B095B5ADSN=_01C8666A1449392E00002C0Email.mydomain--
    ================================================================================

    In the body of the message I get:

    ======================================================================

    Your message did not reach some or all of the intended recipients.

     

          Subject:    Important Message From IRS

          Sent: 2/3/2008 7:00 PM

     

    The following recipient(s) cannot be reached:

     

          some_email@hotmail.com on 2/4/2008 11:07 AM

                There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.

                <mail.mydomain.com #5.5.0 smtp;550 Access denied...
    ========================================================================

    What this tells me is that someone tried to e-mail somebody at hotmail.com using my mail server. If this is so then how/why did exchange except this when the relaying is not allowed (at least not for the
    151.12.152.26 IP address)? Thanks again for any help...


    Monday, February 04, 2008 4:19 PM
  • Are you still getting bounce backs?  if so, enable logging in the above mentioned places and start looking.

    Monday, February 04, 2008 4:33 PM

  • i don't have the ability to check firewall logs right now, but i do have logging on exchange. I did find entrees that are relevant but i don't really know what they mean. i.e.:

    2008-02-04 12:38:35 151.12.152.26 User SMTPSVC1 EXEXEX <my IP> 0 EHLO - +User 250 0 SMTP - - -
    2008-02-04 12:38:35 151.12.152.26 User SMTPSVC1 EXEXEX <my IP> 0 MAIL - +FROM:<refund@usa.gov> 250 0 SMTP - - -
    2008-02-04 12:38:35 151.12.152.26 User SMTPSVC1 EXEXEX <my IP> 0 RCPT - +TO:<someone@yahoo.com> 250 0 SMTP - - -

    //many other RCPTs similar to the one above...

    2008-02-04 12:38:41 151.12.152.26 User SMTPSVC1 EXEXEX <my IP> 0 DATA - <EXEXEX6YHkidcDjoYAP00000013@mail.mydomain.com> 250 0 SMTP - - -
    2008-02-04 12:38:41 151.12.152.26 User SMTPSVC1 EXEXEX <my IP> 0 QUIT - User 240 7110 SMTP - - -

    there are many other entrees like this but i don't really know what they mean. i see that someone from 151.12.152.26 is pretending to be usa.gov mail server and that they are sending e-mails to many yahoo/hotmail/aol users but i don't know if they are successful? thanks again,
    Monday, February 04, 2008 6:09 PM
  • Monday, February 04, 2008 6:49 PM

  • thanks for the link. i went through the process of determining if my exchange server was an open SMTP relay and, as I suspected it is not:

    mail from:username@my_private_domain.com
    250 2.1.0 username@my_private_domain.com....Sender OK
    rcpt to:my_gmail@gmail.com
    550 5.7.1 Unable to relay for my_gmail@gmail.com
    rcpt to:my_yahoo@yahoo.com
    550 5.7.1 Unable to relay for my_yahoo@yahoo.com
    rcpt to:my_hotmail@hotmail.com
    550 5.7.1 Unable to relay for my_hotmail@hotmail.com

    however when i went through the SMTP logs i could see that someone from the IP 151.12.152.26 has tried sending e-mails to @hotmail.com users and then the next thing i would see is hotmail server responding

    2008-02-04 12:38:35 151.12.152.26 User SMTPSVC1 EXEXEX <my_IP> 0 EHLO - +User 250 0 SMTP - - -
    2008-02-04 12:38:35 151.12.152.26 User SMTPSVC1 EXEXEX <my_IP> 0 MAIL - +FROM:<refund@usa.gov> 250 0 SMTP - - -
    2008-02-04 12:38:40 151.12.152.26 User SMTPSVC1 EXEXEX <my_IP> 0 RCPT - +TO:<specific_user@hotmail.com> 250 0 SMTP - - -
    2008-02-04 12:38:41 151.12.152.26 User SMTPSVC1 EXEXEX <my_IP> 0 DATA - <EXEXEX6YHkidcDjoYAP00000013@mail.mydomain.com> 250 0 SMTP - - -
    2008-02-04 12:38:41 151.12.152.26 User SMTPSVC1 EXEXEX <my_IP> 0 QUIT - User 240 7110 SMTP - - -

    and then

    2008-02-04 12:38:41 65.54.245.40 OutboundConnectionResponse SMTPSVC1 EXEXEX - 25 - - 250-bay0-mc9-f6.bay0.hotmail.com+(3.5.0.22)+Hello+[<my_IP>] 0 0 SMTP - - -
    2008-02-04 12:38:41 65.54.245.40 OutboundConnectionCommand SMTPSVC1 EXEXEX - 25 MAIL - FROM:<refund@usa.gov>+SIZE=2858 0 0 SMTP - - -
    2008-02-04 12:38:41 65.54.244.40 OutboundConnectionResponse SMTPSVC1 EXEXEX - 25 - - 250+refund@usa.gov....Sender+OK 0 0 SMTP - - -
    2008-02-04 12:38:41 65.54.244.40 OutboundConnectionCommand SMTPSVC1 EXEXEX - 25 RCPT - TO:<specific_user@hotmail.com> 0 0 SMTP - - -

    how is this possible?
    Monday, February 04, 2008 8:07 PM
  • Perhaps the user authenticated?  I'm not sure if this would show up in the logs, but authenticated users can relay, so maybe one of your user accounts was compromised?

     

    Also, I would assume you've taken precautions and blocked the 151 address at this point?  ideally on the firewall, but if you have no access at least on the server itself.

    Monday, February 04, 2008 9:41 PM
  • Hi,

     

    This might help you determine whats happening:

    http://www.vamsoft.com/authattack.asp

     

    Leif

     

     

    Monday, February 04, 2008 9:55 PM

  • @Mike: yes i have blocked that IP on the firewall level. as far as authenticated users go i had "Allow all computers which successfully authenticate, regardless of the list above" cleared, however under "Users" i had both "Authenticated Users" and "Everyone" selected as relaying allowed.

    @Leif: thanks for that link - good resource

    Now my question is,if I had "Allow all computers which successfully authenticate, regardless of the list above" cleared but under Users had Authenticated Users and Everyone allowed for relaying what takes preseance / or do these two exclude one another? If anyone knows please clarify this...
    Monday, February 04, 2008 10:23 PM
  • if "everyone" is included in who can relay, this is the same as not requiring authentication

     

    (sort of.  Pepole do have to authenticate, but any combination of user and password would work)

     

    Tuesday, February 05, 2008 5:20 PM