If you recall from last month's article "Malicious Hackers and Spam, Part 1" (http://www.winnetmag.com/article/articleid/41094/41094.html), a client was having a backup problem and poor server performance. I discovered that a spammer was using the client's server to relay spam. Although the server wasn't an open relay, the spammer was somehow authenticating to the server to send messages. My first concern was to prevent the spammer from sending more messages. I disconnected the firewall from the Internet and deleted all the sessions. I tried to use the Exchange System Manager (ESM) to delete the messages from the queues, but the process was taking a long time. I stopped all the Exchange services, opened a command prompt, and deleted the messages from the directory D:\exchsrvr\mailroot\vsi 1\queue. Stopping the Exchange services greatly improved the server performance, but more than 10,000 messages were waiting in various queues, so even using the command prompt to delete the messages took more than an hour. I changed all the passwords for every user on the network. I also looked at the bad mail directory in D:\exchsrvr\mailroot\vsi 1\badmail. The directory contained so many messages that I couldn't even view the number of files in the directory. I used a command prompt to delete all the files, which took approximately 8 hours. I then created a rule on the firewall to deny traffic from the IP ranges from which the spam originated. After making these changes, I reconnected the firewall to the Internet and monitored the server. Fortunately, the spam connection didn't reappear. This particular network had a couple of remote sites running VPN tunnels. I had originally suggested that the client company use "mini" firewalls to protect the remote users and perform the VPN encryption, but the client decided to use mobile clients instead to save money. However, the spam incident convinced the client to purchase the firewalls to protect the remote connections. When I went to one of the remote sites to install the firewall, I discovered that intruders had hacked the remote machine. The machine had the following hacking programs installed: • Bat.mumu.A.worm
• Hacktool
• W32.valla.2048
• w32.HLLW.lovegate.J@mm
• Bat.Boohoo.worm
• MSBlast
This computer was left running all the time, with the tunnel active. It was just a matter of time before intruders attacked, which is why I always recommend that remote clients sit behind a firewall, especially if they use a broadband connection. If you must use a mobile VPN client, make sure that users turn off the computer when they're not using it and that they disable the tunnel if they don't need access to the corporate network. I rebuilt the workstation and placed the workstation behind a firewall. Whenever a computer is compromised, the only way to ensure that you've removed all the vulnerabilities is to format the hard disk and reinstall the OS. It's easy to overlook a hacker program and let the intruder regain control of the machine. By rebuilding the machine, you know you've removed all the hacker tools. When reinstalling the OS, don't forget the latest service pack and critical patches. Fortunately for this client, the intruder wanted to use the server only for spam; the intruder could have caused a lot more damage. My consulting firm has experienced a disturbing amount of hacking activity over the past few months. To keep your networks safe, make sure all your computers are up-to-date with the latest service packs and critical updates and that all your firewalls have the latest patches. If you have remote sites with mobile tunnels and broadband connections, consider installing a firewall, or at the very least, train users to turn off their computers when not in use. Also, make sure users know how to deactivate the tunnel when they're not connecting to the corporate network. The arms race has begun. This situation will get worse over time, not better. Make sure you have the proper countermeasures to protect your network.
Tip Have you ever wondered where an IP address comes from? To determine the source, you can run a Tracert if the IP address is active. Another good resource for determining an IP address source is the Internet Assigned Numbers Authority (http://www.iana.org/ipaddress/ip-addresses.htm). This site contains links to worldwide sources that let you look up the ISP that has been assigned a block of IP addresses. This information is helpful when you're tracking down an IP address, in the event of a hack or other inappropriate use of the Internet. You need to take the IP address with a grain of salt because the hacker will often spoof the IP address of the attack or compromise a machine and launch the attack from an infected machine, but the source IP address is a good place to start.
End of Article
In the future, instead of deleting all the messages in the "queue" folder, just rename it e.g. queue.old. When you start the Exchange services, it recreates the queue folder. This allows you to startup Exchange, and delete the messages later. Ditto for the Badmail folder.
Dave Fosbenner January 13, 2004
WAY TO GO!!! I have a client that is having the exact same problem. They were on Exchange 5.5 and I just upgraded them to 2000. They were being relayed through but needed the upgrade anyhow. I figured the upgrade would give me better tools to kill the relay. The tools were a bit better but the relay persisted. I looked up every KB article and searched endlessly for closing this open relay. Even though, the relay police (ORDBS, etc) said it was NOT a relay. I have been very suspicious of it being an inside job. Now I'll send the client on a seek and destroy mission in the remote locations and on local machines.
Phil Leinhauser January 13, 2004
Very interesting article. I would appreciate more reference links so I can drill down for more information. For example, what program/method did the author use to find the hacking programs on the remote mcahine.
Mike January 13, 2004
I *believe* you can save alot of time by using Windows Explorer to delete (perhaps you have to permanently delete) the subfolder containing all the messages and then just add the subfolder later.
Also, I think a better place to start to see who "owns" a particular IP address is the American Registry for Internet Numbers. It will direct you to the other registries (such as RIPE and APNIC) if the IP address is registered outside of ARIN's scope. http://www.arin.net/
C. Frank Bernard January 13, 2004
Just curious, but how do you find out which IP address the spam was comming from?
leeg123 January 13, 2004
8 hours to delete all messages! Wow! How many there were of them? On my Linux I throw out 30 tousend files/minute! But as I suppose Microsoft's Wonders of The World are a bit... other :-)
Adrian January 22, 2004
You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor?
Register now
An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Register
Dave Fosbenner January 13, 2004