Re: MS Exchange Server 5.5/ NT User Name Harvesting ?

From: H C (keydet89@yahoo.com)
Date: 06/07/02 

Date: Fri, 7 Jun 2002 11:47:02 -0700 (PDT)
From: H C <keydet89@yahoo.com>
To: Zero Divide <o0o@hotmail.com>, focus-ms@securityfocus.com

Go back to your WatchGuard logs and see where the
"attacker's" IP address is listed. What is the
destination port on your server that is being
targetted? Port 138? 389?

This will help you determine _how_ the username
enumeration is occurring.

--- Zero Divide <o0o@hotmail.com> wrote:
>
>
> Hello,
>
> I work for a small company with about 100 computers
> on our network. Our
> lone server is running on NT with all the latest
> hotfixes, service packs,
> etc. Our mail server is MS Exchange 5.5, also with
> all the latest
> hotfixes and service packs installed. Due to
> budgetary constraints
> upgrading to newer software is not an option here.
>
> The problem we're having is that everytime one of
> our employees keeps
> his/her computer logged on overnight, crackers are
> able to harvest the
> username and they then proceed to run cracking
> attempts on it all night.
>
> From the security logs it looks like they are trying
> to use our mail
> server as a spam relay. The only thing thats really
> stopping them is we
> have all user accounts locked out from 5pm-7am. But
> we really don't know
> whats going on during business hours.
>
> We have a Watchguard firewall up and running and its
> provided us with alot
> of information, including the cracker's IP
> addresses, but we would really
> like to know how to stop them from harvesting our
> Usernames.
>
> The usernames are not guessable, the only common
> thread that all the
> usernames the crackers have harvested have is the
> fact that the Employee
> left his/her computer on all night and logged into
> the network.
>
> Any suggestions would be most appreciated.
>
> Thanks

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

Relevant Pages

  • OT: muddleftpd config while running as a normal user
    ... I want to run muddleftpd as a normal user, ... one group is to catch invalid usernames ... # tell the server these usernames are disabled ... # This configures the normal users. ...
    (Ubuntu)
  • RE: MS Exchange Server 5.5/ NT User Name Harvesting ?
    ... With the Watchgaurd you can block specific sites, ... MS Exchange Server 5.5/ NT User Name Harvesting? ... The usernames are not guessable, the only common thread that all the ...
    (Focus-Microsoft)
  • RE: [PHP] Re: Securing user table with sha function
    ... needs a client could possibly want in the way of features by modulating each ... So i'm just mainly worried about my host server going down for whatever ... I write a book now about PHP and I want to help people ... if you crypt your usernames, ...
    (php.general)
  • RE: MS Exchange Server 5.5/ NT User Name Harvesting ?
    ... > attackers are trying to use your exchange server as ... >>server as a spam relay. ... >>like to know how to stop them from harvesting our ... >>The usernames are not guessable, ...
    (Focus-Microsoft)
  • Re: MS Exchange Server 5.5/ NT User Name Harvesting ?
    ... attackers are trying to use your exchange server as a spam relay? ... Our mail server is MS Exchange 5.5, ... >like to know how to stop them from harvesting our Usernames. ...
    (Focus-Microsoft)