Re: Need your help!!!

• Previous message: Hagen, Eric: "Keyloggers and Countermeasures"
• In reply to: chang zhu: "Need your help!!!"
• Next in thread: Pastinha: "RES: Need your help!!!"
• Reply: Pastinha: "RES: Need your help!!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 22 Sep 2003 12:54:23 -0400 (EDT)
To: security-basics@securityfocus.com

As it was written on Sep 20, thus chang zhu typed:

Chang: Date: Sat, 20 Sep 2003 08:19:39 -0700 (PDT)
Chang: From: chang zhu <cyz2000@yahoo.com>
Chang:
Chang: Hi, all
Chang:
Chang: Some people connect to my exchange 2000 server every
Chang: day and sent all spams out. When I go to current
Chang: sessions under SMTP protols and default SMTP virtual
Chang: server from exchange system manager, I can see these
Chang: people's connections and IP address (no domain name
Chang: shown up and only fake name and IP shows). I do not
Chang: know how to block them.

Ummm ... a firewall?

Chang: This is exchange 2000 server
Chang: with SP3 and behind PIX firewall. We only open port
Chang: 25, 443 and 80 for this exch 2k server on PIX. MX
Chang: reocrd points to this server. If I use NMAP
Chang: to scan this box internally, here are ports open:
Chang:
Chang:
Chang: 25/tcp open smtp
Chang: 80/tcp open http
Chang: 110/tcp open pop-3
Chang: 119/tcp open nntp
Chang: 135/tcp open loc-srv
Chang: 139/tcp open netbios-ssn
Chang: 143/tcp open imap2
Chang: 443/tcp open https
Chang: 445/tcp open microsoft-ds
Chang: 563/tcp open snews
Chang: 593/tcp open http-rpc-epmap
Chang: 691/tcp open resvc
Chang: 993/tcp open imaps
Chang: 995/tcp open pop3s
Chang: 3372/tcp open msdtc
Chang: 3389/tcp open ms-term-serv
Chang: 6000/tcp open X11
Chang: 6001/tcp open X11:1
Chang: 6003/tcp open X11:3
Chang: 6005/tcp open X11:5
Chang: 7001/tcp open afs3-callback
Chang: 8081/tcp open blackice-icecap
Chang:
Chang: x11?

X11 is X-windows. More-or-less windows for a UNIX machine.
But since you're running Windoze, Im not sure what's listening on TCP 600[0-1,3,5]

Recommend you get nmap 3.45 and run it with the newly added -sV flag to
see what's listening. Moreover, you should download TCPView and leave it
running.

(and you should make sure that your lines below dont word-wrap)

Chang: When I do netstat -na, the followings shown on the part of result;
Chang:
Chang: TCP 127.0.0.1:25 127.0.0.1:54441 TIME_WAIT
Chang: TCP 127.0.0.1:25 127.0.0.1:54898 TIME_WAIT
Chang: TCP 127.0.0.1:25 127.0.0.1:54904 TIME_WAIT
Chang: TCP 127.0.0.1:25 127.0.0.1:54914 TIME_WAIT
Chang: TCP 127.0.0.1:25 127.0.0.1:54916 TIME_WAIT
Chang: TCP 127.0.0.1:25 127.0.0.1:54988 TIME_WAIT
Chang: TCP 127.0.0.2:25 127.0.0.2:54433 TIME_WAIT
Chang: TCP 127.0.0.2:25 127.0.0.2:54434 TIME_WAIT
Chang: TCP 127.0.0.2:25 127.0.0.2:54442 TIME_WAIT
Chang: TCP 127.0.0.2:25 127.0.0.2:54443 TIME_WAIT
Chang: TCP 127.0.0.2:25 127.0.0.2:54444 TIME_WAIT
Chang: TCP 127.0.0.2:25 127.0.0.2:54445 TIME_WAIT
Chang: TCP 127.0.0.2:25 127.0.0.2:54446 TIME_WAIT
Chang: TCP 127.0.0.2:25 127.0.0.2:54454 TIME_WAIT
Chang: TCP 127.0.0.2:25 127.0.0.2:54890 TIME_WAIT
Chang: TCP 127.0.0.2:25 127.0.0.2:54893 TIME_WAIT
Chang: TCP 127.0.0.2:25 127.0.0.2:54903 TIME_WAIT
Chang: TCP 127.0.0.2:25 127.0.0.2:54911 TIME_WAIT
Chang: TCP 127.0.0.2:25 127.0.0.2:54913 TIME_WAIT
Chang: TCP 127.0.0.2:25 127.0.0.2:54915 TIME_WAIT
Chang: TCP 127.0.0.2:25 127.0.0.2:54917 TIME_WAIT
Chang: TCP 127.0.0.2:25 127.0.0.2:54918 TIME_WAIT
Chang: TCP 127.0.0.2:25 127.0.0.2:54919 TIME_WAIT
Chang: TCP 127.0.0.100:25 127.0.0.100:54905 TIME_WAIT
Chang: TCP 127.0.0.100:25 127.0.0.100:54912 TIME_WAIT
Chang: TCP 127.0.1.50:25 127.0.1.50:54456 TIME_WAIT
Chang:
Chang: THis server is not an open relay server and how
Chang: spammers can connect this server to send all spams out
Chang: from different domain address?
Chang:
Chang: Due to limited experience, I am not able to tackle it
Chang: down. Many anti-spam company put our sever on their
Chang: lists. I ask them to send me report that indicated
Chang: all spams truly went out through my server from mail
Chang: header info.
Chang:
Chang: I need to resolve this ASAP and any suggestion or
Chang: solutions will be greatly appreciated.
Chang:
Chang:
Chang: Thanks for all your attention and help,

These are all internal IPs. Do you know if these IPs are actually in use,
or do you think they are forged? I see you mentioned
"... fake name and IP ..." but I do not see any "fake" names

Thanks

 Scott Birl http://concept.temple.edu/sysadmin/
 Senior Systems Administrator Computer Services Temple University
====*====*====*====*====*====*====*====+====*====*====*====*====*====*====*====*

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Hagen, Eric: "Keyloggers and Countermeasures"
• In reply to: chang zhu: "Need your help!!!"
• Next in thread: Pastinha: "RES: Need your help!!!"
• Reply: Pastinha: "RES: Need your help!!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]