Re: Exhange 2003

jamesworld_at_intelligencia.com
Date: 03/03/04

  • Next message: cissper_at_yahoo.com.au: "loose source routing, unreliable results"
    Date: Tue, 02 Mar 2004 20:16:45 -0600
    To: deniz@edizayn.com.tr (Deniz CEVIK)
    
    

    Did you try

    netstat -an

    And see what ports were listening?

    Is there a local IP filtering policy active? You mentioned only 2 ports as
    being active 25 and 100. Perhaps there is a local IP policy only allowing
    those ports. Perhaps the port 100 was supposed to be port 110 for POP3
    mail access and they typod the entry. Good of you to find their
    misconfiguration for them :-)

    Did you run fport (foundstone)? If you've never used fport, you should add
    it to your arsenal.

    Hopefully HADXM is the username that you are using. If not, look into the
    host being compromised.

    If you have more, post it to us.

    Cheers,
    -James

    At 08:29 03/02/2004, Deniz CEVIK wrote:
    >Hi All,
    >
    >While we are testing our customer network, we faced with strange problem. We
    >are testing exchange 2003 server externally. When we controlled open
    >services with port scan, I saw that only two ports (25 and 100) are shown as
    >open. Before I run the portscan, I have controlled the server with "nbtstat"
    >command of windows. It returned error messages as below.
    >
    >nbtstat -A EXCH_IP
    >
    >Local Area Connection:
    >Node IpAddress: [MY_MACHINE] Scope Id: []
    >
    > Host not found.
    >
    >After the port scan is finished, in order to see the banner information of
    >mail server, I opened the connection to port 25 using telnet command (telnet
    >EXCH_IP 25). Same time when I run "nbtstat -A" command from another window
    >by mistake and I saw that below output.
    >
    >nbtstat -A EXCH_IP
    >
    >Local Area Connection:
    >Node IpAddress: [MY_MACHINE] Scope Id: []
    >
    > NetBIOS Remote Machine Name Table
    >
    > Name Type Status
    > ---------------------------------------------
    > HADXM <1F> UNIQUE Registered
    > HADXM <00> UNIQUE Registered
    > HADXM <20> UNIQUE Registered
    > EXCHANGE <00> GROUP Registered
    > EXCHANGE <1C> GROUP Registered
    > EXCHANGE <1B> UNIQUE Registered
    > EXCHANGE <1E> GROUP Registered
    > HADXM <03> UNIQUE Registered
    > ADMINISTRATOR <03> UNIQUE Registered
    > EXCHANGE <1D> UNIQUE Registered
    > ..__MSBROWSE__. <01> GROUP Registered
    > HADXM <6A> UNIQUE Registered
    > HADXM <87> UNIQUE Registered
    >
    > MAC Address = MAC_ADDRESS_OF_EXCHANGE
    >
    >If there isn't any connection to open port of the server you can't see this
    >nbtstat outputs.
    >
    >Has any body faced with same situations before?
    >
    >BR
    >
    >
    >---------------------------------------------------------------------------
    >Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    >wireless security
    >
    >Protect your network against hackers, viruses, spam and other risks with
    >Astaro
    >Security Linux, the comprehensive security solution that combines six
    >applications in one software solution for ease of use and lower total cost of
    >ownership.
    >
    >Download your free trial at
    >http://www.securityfocus.com/sponsor/Astaro_pen-test_040201
    >----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of
    ownership.

    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_pen-test_040201
    ----------------------------------------------------------------------------


  • Next message: cissper_at_yahoo.com.au: "loose source routing, unreliable results"

    Relevant Pages