RE: Exchange 2k hacked

  • From: "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
  • To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 28 Oct 2003 15:02:56 -0800

I would start by where that file is found.

 

Hopefully, some one is more versed in event sinks can help.

 

John Tolmachoff

Engineer/Consultant/Owner

eServices For You

 

-----Original Message-----
From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx] 
Sent: Tuesday, October 28, 2003 2:50 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Exchange 2k hacked

 

http://www.MSExchange.org/

Don't ask me, I've never done nuffin with them sinks.... Where am I supposed
to find those files?

-----Original Message-----
From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] 
Sent: Tuesday, October 28, 2003 9:46 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Exchange 2k hacked

http://www.MSExchange.org/

If it is an event sink, you should be able to open up the files, as I
believe event sinks must use a .vbs, correct?

 

John Tolmachoff

Engineer/Consultant/Owner

eServices For You

 

-----Original Message-----
From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx] 
Sent: Monday, October 27, 2003 1:03 PM
To: [ExchangeList]
Subject: [exchangelist] Exchange 2k hacked

 

http://www.MSExchange.org/

Today I had to resurrect an exchange 2k server that had relaying for
successfully authenticated hosts allowed. This wouldn't have been a problem,
had the user 'webmaster' had a password assigned :) I guess this was some
left-over from a previous Novell migration. Well. I cleared out half a
million spam emails.

What got to me was the presence of a process named unsecapp.exe which I have
not noticed running anywhere before. A quick google returns some references
to event sinks. Further, there have been various dcom errors, stating an
access error while starting a {3Dxxxx. application. All this could be
perfectly legit, but I want to make sure that this host has not been
tampered with. 

The exchange is running behind ISA and has only SMTP published. The SMTP
vuln had been fixed on the 24th I think. Any clues?

Thanks! 
Mark 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------ 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------ 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------ 

Other related posts: