Ughhhh.... More SMTP issues - Hacking my Server?
- From: "Dave Onex" <dave@xxxxxxxx>
- Date: Mon, 27 Aug 2007 22:23:25 -0700
Hi Sandy;
I'm seeing a problem with my Windows 2000/IIS 5 SMTP server :-(
As you may recall it's set up as a relay for my Exchange 2000 Server and has
two virtual SMTP's - one for incoming mail and one for outgoing. Both are
protected behind an ISA 2004 firewall.
Recently (in our last discussion) I found that the IIS server needed to be
re-started because the SMTP service seemed to stop responding. I tested it
by sending a mail from outside the network to my email address - no mail
arrived. In addition, mail seems to stop arriving for several hours and
sending mail fails too....
Trying to re-start the IIS Admin service on the IIS machine results in an
error - it can't re-start for some reason. A re-boot seems to be the only
way to fix it. Processor usage at this time is normal/low.
I went through the event viewer logs and it seems like someone is trying to
hack the server.... Here's what the event viewer says;
Event ID 1000
The server was unable to logon the Windows NT account 'baseball' due to the
following error: Logon failure: unknown user name or bad password. The data
is the error code.
There are at least 100 of these spread over a 3 minute period - from 11:53
AM until 11:56 AM and they all use different account names that are
fictional. As such, I suspect some form of dictionary attack?
During that time period I see this in the logfiles;
2007-08-27 18:53:41 75.43.172.73 windows SMTPSVC1 DB 192.168.1.70 0 EHLO -
+windows 250 0 261 12 2281 SMTP - - - -
2007-08-27 18:53:45 75.43.172.73 windows SMTPSVC1 DB 192.168.1.70 0 QUIT -
windows 240 8312 64 4 15 SMTP - - - -
2007-08-27 18:53:45 75.43.172.73 windows SMTPSVC1 DB 192.168.1.70 0 QUIT -
windows 240 8360 64 4 0 SMTP - - - -
2007-08-27 18:53:50 75.43.172.73 windows SMTPSVC1 DB 192.168.1.70 0 EHLO -
+windows 250 0 261 12 2281 SMTP - - - -
2007-08-27 18:53:52 75.43.172.73 windows SMTPSVC1 DB 192.168.1.70 0 EHLO -
+windows 250 0 261 12 2281 SMTP - - - -
2007-08-27 18:53:52 75.43.172.73 windows SMTPSVC1 DB 192.168.1.70 0 EHLO - +
windows 250 0 261 12 2282 SMTP - - - -
2007-08-27 18:53:54 75.43.172.73 windows SMTPSVC1 DB 192.168.1.70 0 EHLO -
+windows 250 0 261 12 2282 SMTP - - - -
2007-08-27 18:53:54 75.43.172.73 windows SMTPSVC1 DB 192.168.1.70 0 EHLO -
+windows 250 0 261 12 2282 SMTP - - - -
2007-08-27 18:53:55 75.43.172.73 windows SMTPSVC1 DB 192.168.1.70 0 AUTH -
windows 334 0 18 10 360 SMTP - - - -
2007-08-27 18:53:55 75.43.172.73 windows SMTPSVC1 DB 192.168.1.70 0 AUTH -
windows 535 0 36 10 719 SMTP - - - -
2007-08-27 18:53:56 75.43.172.73 windows SMTPSVC1 DB 192.168.1.70 0 QUIT -
windows 240 10093 64 4 0 SMTP - - - -
The last recorded attempt was at 11:56 AM - there are no other entries until
6:04 PM where I see one entry;
Event ID 4000
Message delivery to the remote domain 'lifelines.ws' failed for the
following reason: The connection was dropped by the remote host.
This is not a domain I send mail to....
At some point during the day the IIS service seems to have locked up as no
mail is being delivered. I don't know what's up....but the last recieve log
entries before it stops receiving/sending mail are these;
2007-08-28 02:06:21 124.78.215.138
138.215.78.124.broad.xw.sh.dynamic.163data.com.cn SMTPSVC1 DB 192.168.1.70 0
EHLO - +138.215.78.124.broad.xw.sh.dynamic.163data.com.cn 250 0 263 54 234
SMTP - - - -
2007-08-28 02:06:21 124.78.215.138
138.215.78.124.broad.xw.sh.dynamic.163data.com.cn SMTPSVC1 DB 192.168.1.70 0
MAIL - +FROM:<hjbdfvbkjndo@xxxxxxxxxxxx> 250 0 50 37 0 SMTP - - - -
2007-08-28 02:06:22 124.78.215.138
138.215.78.124.broad.xw.sh.dynamic.163data.com.cn SMTPSVC1 DB 192.168.1.70 0
RCPT - +TO:<forumsforum@xxxxxxxxxxxx> 550 0 29 34 0 SMTP - - - -
2007-08-28 02:06:24 124.78.215.138
138.215.78.124.broad.xw.sh.dynamic.163data.com.cn SMTPSVC1 DB 192.168.1.70 0
QUIT - 138.215.78.124.broad.xw.sh.dynamic.163data.com.cn 240 3734 64 4 0
SMTP - - - -
2007-08-28 02:06:45 201.62.167.137
BHE201062167137.res-com.wayinternet.com.br SMTPSVC1 DB 192.168.1.70 0 HELO -
+BHE201062167137.res-com.wayinternet.com.br 250 0 44 47 156 SMTP - - - -
2007-08-28 02:06:45 201.62.167.137
BHE201062167137.res-com.wayinternet.com.br SMTPSVC1 DB 192.168.1.70 0 HELO -
+BHE201062167137.res-com.wayinternet.com.br 250 0 44 47 765 SMTP - - - -
2007-08-28 02:06:45 201.62.167.137
BHE201062167137.res-com.wayinternet.com.br SMTPSVC1 DB 192.168.1.70 0 MAIL -
+FROM:<jraab@xxxxxxxx> 250 0 39 26 0 SMTP - - - -
2007-08-28 02:06:45 201.62.167.137
BHE201062167137.res-com.wayinternet.com.br SMTPSVC1 DB 192.168.1.70 0 MAIL -
+FROM:<jraab@xxxxxxxx> 250 0 39 26 0 SMTP - - - -
2007-08-28 02:06:47 201.62.167.137
BHE201062167137.res-com.wayinternet.com.br SMTPSVC1 DB 192.168.1.70 0 RCPT -
+TO:<webmaster@xxxxxxxxxxxx> 550 0 29 32 0 SMTP - - - -
2007-08-28 02:06:48 201.62.167.137
BHE201062167137.res-com.wayinternet.com.br SMTPSVC1 DB 192.168.1.70 0 QUIT -
BHE201062167137.res-com.wayinternet.com.br 240 4031 29 32 1453 SMTP - - - -
I don't know what's going on anymore but this is the second time this
otherwise rock-solid machine had to be re-started and last time the event
viewer was also full of similar log-on failure entries so I suspect someone
is somehow taking the machine off-line which is really bas because I depend
on email......
Best & Thanks!
Dave
.
- Prev by Date: Re: Missing Character When Sending Emails
- Next by Date: Re: send mail error in Vista
- Previous by thread: Using Different SMTP Servers
- Next by thread: win2k3 stop searching on filesystem change
- Index(es):
Relevant Pages
|
