Thanks Matt for the information. The consultant did warn us that we should buy a front end server to avoid this sort of thing, but that was the cost of another enterprise licence for Exchange (if we want to use OWA). We have now purchased a decent firewall and the exchange server is sitting behind it safely. We got another consultant in to install that. I don't think the attacks are still happening (the file dates are now a month old, no newer ones). Also, I do trust the consultant, he was no hacker. I have checked the IIS settings and they are set up as per the Windows 2000 defaults, i.e. C:\inetpub\etc for ftp and www. No virtual directories, I checked. Also, there are no shares on the server, and no web shares. I still don't understand how they got in. Could they use OWA to hack in? I am still open to suggestions. Any hackers out there? -----Original Message----- From: Walkowiak, Matt [mailto:Matt.Walkowiak@xxxxxxxxxxxx] Sent: 31 May 2002 14:37 To: [ExchangeList] Subject: [exchangelist] RE: Hackers! http://www.MSExchange.org/ - Re-Vamped! I'd check the IIS settings, namely the FTP part. This is also a good time to talk about how incredibly dangerous it is to stick a Windows server (or any OS for that matter) live on the internet. The fact that you have a bunch of mp3's is probably the least of your worries. When your consultant setup your server, did he or she make sure to apply ALL the patches? Download and run hfnetchk on that server ASAP. One thing you have to remember about Windows OS's is that they are designed to be Departmental Intranet servers that have connections to the Internet - they are NOT designed to go live on the Internet without major tweeking. Check out this site - the NSA crated a 110 page document about securing a windows server... http://www.trustedsystems.com/tss_nsa_guide.htm Also, how much do you trust your consultant? If he or she had any brains at all, they would know that this server is indeed live on the internet, and they also have the administrator password :-) When you are looking at the FTP settings, make sure the home folder is still C:\Inetpub\ftproot, and that there are no Virtual FTP folders hanging out there that someone (the consultant) may have setup... As far as a firewall, what I would do if I were you is get one and get one NOW. Unless you are doing something very complicated, you don't need much more than a WatchGuard SOHO. For 500 dollars US, you can have your network 100% more secure in minutes. As far as the cost of the firewall? How much is your time worth to fix whatever problems are caused by having a default Windows server live on the Internet? Matt Walkowiak -----Original Message----- From: Cox, Christopher [Allen & Heath UK] [mailto:Chris.Cox@xxxxxxxxxxxxxxx] Sent: Friday, May 31, 2002 7:35 AM To: [ExchangeList] Subject: [exchangelist] Hackers! http://www.MSExchange.org/ - Re-Vamped! Here's an interesting one. Following the management buyout of my company and the upgrade of our Exchange 5.5 server to 2000, I was forced to add a local connection for incoming email to my server, which without first investing in a firewall (money constraints -duh!) we connected directly onto our internet LAN. The Exchange 2000 server was set up pretty much as defaults out of the box, although we did have a consultant in to do it. I have just been looking at some backup logs and it seems that at some time in the past a folder has appeared in \Exchsrvr\databases\Storage_Group_2 (where we store our databases). The folder is called "incoming" and is full of pirate software, MP3s and movies (about 20GBs of it). Can anyone explain how they got this stuff may have got onto my server? Chris Cox BEng, DiplEng Information Technology Manager Allen & Heath Limited,Kernick Industrial Estate,Penryn Cornwall. UK TR10 9LU Tel +44 (0)870 7556250, Fax +44(0)1326 370139 Direct: +44(0)870 7556270 Mobile +44(0)781 555 1962 EMail chris.cox@xxxxxxxxxxxxxxx <mailto:chris.cox@xxxxxxxxxxxxxxx> Web http://www.allen-heath.com <http://www.allen-heath.com/> ***DISCLAIMER*** This Email and any files transmitted with it are confidential and intended solely for the use of the individual to whom or the entity to which they are addressed. If you have received this email in error please notify the sender immediately. Please note that any views or opinions presented in this email are those of the author and do not necessarily represent those of Allen & Heath Limited. The recipient should check this email and any attachments for the presence of viruses. Allen & Heath Limited accepts no liability for any damage caused by any virus transmitted via this email. ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: matt.walkowiak@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: chris.cox@xxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ***DISCLAIMER*** This Email and any files transmitted with it are confidential and intended solely for the use of the individual to whom or the entity to which they are addressed. If you have received this email in error please notify the sender immediately. Please note that any views or opinions presented in this email are those of the author and do not necessarily represent those of Allen & Heath Limited. The recipient should check this email and any attachments for the presence of viruses. Allen & Heath Limited accepts no liability for any damage caused by any virus transmitted via this email.