RE: Exchange 2k hacked

  • From: "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 28 Oct 2003 23:49:03 +0100

Thanks Al.
 
Given that no further applications have been installed on the machine,
would there be any certain system state in which unsecapp.exe would be
launched by exchange for instance? Maybe a message search? I'm going to
check this.
 
I really wouldn't want to re-install everything, at least not without a
definite prrof of irregularities.
 
Mark

        -----Original Message-----
        From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx] 
        Sent: Monday, October 27, 2003 10:46 PM
        To: [ExchangeList]
        Subject: [exchangelist] RE: Exchange 2k hacked
        
        
        http://www.MSExchange.org/
        
        Unsecapp.exe:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/
wmi/iwbemunsecuredapartment_createsinkstub.asp
         
        The DCOM access issue may be "normal" for that environment and
indicative of some other previous problem or even none at all (could be
a security setting too tight for all I can tell here), but my personal
thought is that if you have any questions or doubts, you'd be best
served by being safe and rebuilding.  That's my idea of best practice
anyway.
         
        Al

________________________________

        From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx] 
        Sent: Monday, October 27, 2003 4:03 PM
        To: [ExchangeList]
        Subject: [exchangelist] Exchange 2k hacked
        
        
        http://www.MSExchange.org/
        

        Today I had to resurrect an exchange 2k server that had relaying
for successfully authenticated hosts allowed. This wouldn't have been a
problem, had the user 'webmaster' had a password assigned :) I guess
this was some left-over from a previous Novell migration. Well. I
cleared out half a million spam emails.

        What got to me was the presence of a process named unsecapp.exe
which I have not noticed running anywhere before. A quick google returns
some references to event sinks. Further, there have been various dcom
errors, stating an access error while starting a {3Dxxxx... application.
All this could be perfectly legit, but I want to make sure that this
host has not been tampered with. 

        The exchange is running behind ISA and has only SMTP published.
The SMTP vuln had been fixed on the 24th I think. Any clues?

        Thanks! 
        Mark 

        ------------------------------------------------------
        List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
        Exchange Newsletters:
http://www.msexchange.org/pages/newsletter.asp
        Exchange FAQ:
http://www.msexchange.org/pages/larticle.asp?type=FAQ
        ------------------------------------------------------
        Other Internet Software Marketing Sites:
        Leading Network Software Directory: http://www.serverfiles.com
        No.1 ISA Server Resource Site: http://www.isaserver.org
        Windows Security Resource Site: http://www.windowsecurity.com/
        Network Security Library: http://www.secinf.net/
        Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
        ------------------------------------------------------
------------------------------------------------------
        List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
        Exchange Newsletters:
http://www.msexchange.org/pages/newsletter.asp
        Exchange FAQ:
http://www.msexchange.org/pages/larticle.asp?type=FAQ
        ------------------------------------------------------
        Other Internet Software Marketing Sites:
        Leading Network Software Directory: http://www.serverfiles.com
        No.1 ISA Server Resource Site: http://www.isaserver.org
        Windows Security Resource Site: http://www.windowsecurity.com/
        Network Security Library: http://www.secinf.net/
        Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
        ------------------------------------------------------ 

Other related posts: