> A month ago, an audit showed that the Exchange server was not > acting as an open relay Again, not "acting" as an open relay, or did you actually test to determine whether it was configured to refuse attempts to relay. Another question is how you determined that the server is actually being used as an open relay. We had a moment of panic when a spammer sent a couple thousand emails out impersonating users at our domain. We started getting dozens of bounce messages and thought that our Exchange server, somehow, had been used to relay. Closer inspection of the headers and ndr messages ultimately allowed us to determine that someone was impersonating our domain (unfortunately, SMTP does not provide a solution for this). But for a short while we (mostly I) were extremely concerned that our security had been breached. , and I know for a fact that this base > of customers does not do any tweaking on their servers. In > fact, they originally called me last week to make sure they > were protected from the msblaster worm. They are even afraid > to patch the systems, much less make any config changes. > Other than the software vendor in question, I am the only one > who touches their servers. I know I didn't make the config > change, and I'm sure the sw vendor didn't make this change. > Given the physical security, I can only deduce that someone > else took advantage of the weak password security, and helped > themselves. I assume you meant "given the NETWORK security" as "PHYSICAL" security is something completely different. If, in fact, the firewall is configured as indicated, and that only authorized IP addresses from the software vendor's IP space is permitted to access pcAnywhere, then it is NOT a trivial hack to gain access to pcAnywhere in order to exploit the weak passwords. In order to circumvent the firewall, the intruder would have to first compromise a router or host at either the vendor or customer's end, or somewhere in between, or the firewall itself. Or the intruder would need to gain physical access to one of these end locations. IMHO, if you are confident that neither the software vendor nor the customer made the change (if, indeed, a change was actually made) then I would be more concerned about how the intruder gained access to server in the first place. Perhaps the firewall is misconfigured and is not doing anything. Weak security policies and passwords should also be fixed, but your border router and firewall are crucial. --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 21:12:18 PDT