Exchange 2k hacked

  • From: "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Mon, 27 Oct 2003 22:03:04 +0100

Today I had to resurrect an exchange 2k server that had relaying for
successfully authenticated hosts allowed. This wouldn't have been a
problem, had the user 'webmaster' had a password assigned :) I guess
this was some left-over from a previous Novell migration. Well. I
cleared out half a million spam emails.

What got to me was the presence of a process named unsecapp.exe which I
have not noticed running anywhere before. A quick google returns some
references to event sinks. Further, there have been various dcom errors,
stating an access error while starting a {3Dxxxx... application. All
this could be perfectly legit, but I want to make sure that this host
has not been tampered with. 

The exchange is running behind ISA and has only SMTP published. The SMTP
vuln had been fixed on the 24th I think. Any clues?


Other related posts: