Re: group opinion requested

From: Matt Gibson (mattg_at_blueedgetech.ca)
Date: 01/10/05 

Date: Sun, 9 Jan 2005 16:37:22 -0800

Keep us posted on how this goes.

I didn't realize calling MS Security was a free call. Are there any caveats
to it being free?

I'm always paranoid when it comes to problems like this. IF there was a
backdoor, then there could be a rootkit on the system, and those are near
impossible to detect, since the OS is lying to you.

Evvvilll..

-Matt

"Marcia" <mkp@1248.com> wrote in message
news:eU85yjo9EHA.2828@TK2MSFTNGP10.phx.gbl...
> Hi Marina,
>
> So am I reading you right that this last one was pretty normal? I'll
> close port 80. I had it closed and Netopia told me to open it. I'll
> contact MS Security just to be safe--especially since it's free. Thanks.
>
> Marcia
>
>
> "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
> message
> news:ucb%238Zo9EHA.2552@TK2MSFTNGP09.phx.gbl...
>> Hi Marcia,
>>
>> If you are not hosting your own website, you can close port 80 inbound.
>> Those email attacks are pretty common. You will also see some security
>> alerts with usernames as webmaster, abc, root, admin etcetera.
>>
>> --
>> Regards,
>>
>> Marina
>> Microsoft SBS-MVP
>> One of the Magical M&M's
>>
>> "Marcia" <mkp@1248.com> schreef in bericht
>> news:eTg$fSo9EHA.3592@TK2MSFTNGP09.phx.gbl...
>> > Thanks for replying again. I and PSS didn't think it was copromised
> prior
>> > to this most recent event. We both believed the main problem being due
> to
>> > the .NET patch.
>> >
>> > The ports I have opened are 25, 1723, 3389, 443, 4125, and 80 on the
>> router.
>> > We use OWA, RWW, our own smtp email, and the Internet. Pretty basic.
>> >
>> > When I asked PSS on Friday if she thought we were compromised, her
> initial
>> > answer was no. She believes someone ran a port scan and found port 25
>> open
>> > and spammed it with NDR's.
>> >
>> > I don't know. I've never experienced this before with any of my
> clients.
>> >
>> > Thanks.
>> >
>> > Marcia
>> >
>> >
>> > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
>> message
>> > news:Og2j%23Ko9EHA.1392@tk2msftngp13.phx.gbl...
>> > > Hi Marcia,
>> > >
>> > > If you suspect a security issue, you can call the MS Security Team.
> This
>> > is
>> > > free. They will check your server thoroughly. Did/do you have any
>> > suspicion
>> > > at all that the server might have been compromised? Which ports are
> open
>> > > inbound?
>> > >
>> > > --
>> > > Regards,
>> > >
>> > > Marina
>> > > Microsoft SBS-MVP
>> > > One of the Magical M&M's
>> > >
>> > > "Marcia" <mkp@1248.com> schreef in bericht
>> > > news:u3iK3Ho9EHA.2196@TK2MSFTNGP11.phx.gbl...
>> > > > Hi! I value the expertise from this news group, I wanted to seek
> your
>> > > > opinion on a security issue.
>> > > >
>> > > > We had problems with our server just before Christmas and replaced
> the
>> > > > motherboard and had to completely uninstall/reinstall IIS and
> Exchange
>> > > with
>> > > > the PSS. I'm still not convinced that the motherboard was bad, but
> it
>> > is
>> > > > now in the hands of the vendor under warranty repair.
>> > > >
>> > > > PSS and I had the server back up and operational after several
>> > > > days.
>> > > >
>> > > > On the 4th, we started receiving tons of NDR's. In the 7th, the
>> server
>> > > > slowed down to a near stop. I contacted PSS again only to find
>> > > > that
>> we
>> > > were
>> > > > relaying via our loopback ip. Also, dns entries were in the
>> > > > Default
>> > SMTP
>> > > > Virtual Server of our ISP. These were not added there when PSS and
> I
>> > > > completed the initial round.
>> > > >
>> > > > We removed the loopback ip from our relay list and the dns IP's
>> > > > from
>> the
>> > > > Def. SMTP Vir. Server. Now email is functioning again.
>> > > >
>> > > > My big question is this: We thought we had the server completed
> when
>> > this
>> > > > issue appeared on the 7th. How do we know if other issues will
>> randomly
>> > > pop
>> > > > up and if we weren't hacked with a backdoor? In otherwords, the
>> initial
>> > > > down time was caused by something (I don't believe it was
>> > > > hardware).
>> > How
>> > > do
>> > > > I know if it was an attack and if the loopback/isp dns's were the
>> result
>> > > of
>> > > > a backdoor?
>> > > >
>> > > > Has anyone ever contacted MS Security group for PSS? I assume they
>> have
>> > > the
>> > > > tools and experience to maybe answer this question.
>> > > >
>> > > > I don't want anything else to come up and I'm seriously wondering
>> > > > if
>> > > > reformatting and starting over is the only secure way. I know that
> is
>> > > > rash--and I haven't decided to do that yet.
>> > > >
>> > > > I am merely querying the opinions of this group.
>> > > >
>> > > > And again, as always, I appreciate you more than the word "Thanks"
> can
>> > > ever
>> > > > convey. The generousity and knowledge of this group is
> overwhelming.
>> I
>> > > > doubt that I'll ever be able to provide the knowledge level that I
>> > > > recieve--I can only keep trying.
>> > > >
>> > > > Marcia
>> > > >
>> > > >
>> > >
>> > >
>> >
>> >
>>
>>
>
>