Re: Security issue with MS Exchange and Windows 2003 Server


"Leythos" <void@xxxxxxxxxxx> wrote in message
news:O7Bjf.157775$tD4.13524@xxxxxxxxxxxxxxxxxxxxxxxxx
> In article <C71AFADC-ECF4-4D0D-BF76-A5561135951F@xxxxxxxxxxxxx>,
> ITTester@xxxxxxxxxxxxxxxxxxxxxxxxx says...
>> Okay... It look too good to be true what you just said about slim chance
>> of
>> infection when servers are well mounted.
>
> If you read it again, it was stated that the particular virus you appear
> to have won't spread, but you didn't ask that or state that in your
> questions many times.
>
> If your machine, in general, was/is compromised, then it can/may
> compromise others. Until it's clean it's best left off the network.
>
> As for the mail store or exporting to PST, you've been told several
> times that the store/PST won't infect your new system. What will infect
> your new system is the DATA INSIDE THOSE PST/STORE until you remove the
> infection. As was said, you install an exchange aware AV product, one
> that scans items inside the active STORE, not the file called the store,
> but inside the store session, and have it remove malware, bad
> attachments, anything that doesn't look right. This is how you clean the
> email and keep the store clean for your users.
>
> It was and is simple, you got direct answers to the exact questions you
> asked.

I agree, I think most of what I said was already said by others throughout
the thread. There's a lot of good advice from probably everyone in this
thread, and most of them are fellow MVPs.

To the original poster, what I think has been left out here is trying to
determine what security hole allowed the server to be compromised and make
sure that security vulnerability is not repeated. If you re-install Windows
and leave the same vulnerability on the systems, you're only wasting your
valuable time. Most FTP tagging / pubstro occurs because of a simple, well
known vulnerability like a missing patch or Windows Networking / NetBIOS
being open inbound on the firewall.

I believe you said you started blocking a new TCP/IP port on your firewall,
but my worry is that there may still be weaknesses in your firewall rules.
It could be that you blocked the port used for FTP downloads while leaving
the port that was used to first compromise the server open. All ports both
inbound and outbound should be denied by default, with only a few ports that
you want to allow being allowed.



.

Relevant Pages

  • Re: Remote access setup
    ... I got one central PC running jaunty that store everything i have ... My solution was to install and use ssh. ... Once this is done set your router to forward to this new port to your IP addy. ... Places->Connect to Server. ...
    (Ubuntu)
  • RE: inetinfo.exe & hacking problem
    ... After infecting a server, a lot of worms ... attempt to propagate themselves by connecting to port 80 on random IP ... Use an appropriate clean-up tool to remove the infection. ...
    (microsoft.public.inetserver.iis.security)
  • Re: pattern search
    ... get port numberof any specific server (i.e. ttst or ttst_back). ... i want to store the port number of a specific server in a variable. ...
    (comp.unix.shell)
  • Re: Department of Justice goes after evil Apple
    ... If there's an infection, your backups likely ... My files live on a Solaris server, ... The books cost the same everywhere. ... Hence the competition is centered on service. ...
    (rec.photo.digital)
  • Re: Hardening an ISA Server
    ... He sets up his reverse connection server to listen on port ... the spread of the infection is at least mitigated. ... and then cracks the local administrator password. ... access to internal resources as a normal configuration, through a firewall. ...
    (microsoft.public.isa)