Re: group opinion requested

From: Marina Roos [SBS-MVP] (marina_at_roos.nodontwantspam.nl.com)
Date: 01/10/05 

Date: Mon, 10 Jan 2005 02:00:05 +0100

Hi Matt,

Yes, at least in the US it is free and of course 24/7 available. Wouldn't
even know about Europe.... 

-- 
Regards,
Marina
Microsoft SBS-MVP
One of the Magical M&M's
"Matt Gibson" <mattg@blueedgetech.ca> schreef in bericht
news:OXn8Lyq9EHA.1296@TK2MSFTNGP10.phx.gbl...
> Keep us posted on how this goes.
>
> I didn't realize calling MS Security was a free call.  Are there any
caveats
> to it being free?
>
> I'm always paranoid when it comes to problems like this.  IF there was a
> backdoor, then there could be a rootkit on the system, and those are near
> impossible to detect, since the OS is lying to you.
>
> Evvvilll..
>
> -Matt
>
> "Marcia" <mkp@1248.com> wrote in message
> news:eU85yjo9EHA.2828@TK2MSFTNGP10.phx.gbl...
> > Hi Marina,
> >
> >     So am I reading you right that this last one was pretty normal?
I'll
> > close port 80.  I had it closed and Netopia told me to open it.  I'll
> > contact MS Security just to be safe--especially since it's free.
Thanks.
> >
> > Marcia
> >
> >
> > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
> > message
> > news:ucb%238Zo9EHA.2552@TK2MSFTNGP09.phx.gbl...
> >> Hi Marcia,
> >>
> >> If you are not hosting your own website, you can close port 80 inbound.
> >> Those email attacks are pretty common. You will also see some security
> >> alerts with usernames as webmaster, abc, root, admin etcetera.
> >>
> >> -- 
> >> Regards,
> >>
> >> Marina
> >> Microsoft SBS-MVP
> >> One of the Magical M&M's
> >>
> >> "Marcia" <mkp@1248.com> schreef in bericht
> >> news:eTg$fSo9EHA.3592@TK2MSFTNGP09.phx.gbl...
> >> > Thanks for replying again.  I and PSS didn't think it was copromised
> > prior
> >> > to this most recent event.  We both believed the main problem being
due
> > to
> >> > the .NET patch.
> >> >
> >> > The ports I have opened are 25, 1723, 3389, 443, 4125, and 80 on the
> >> router.
> >> > We use OWA, RWW, our own smtp email, and the Internet.  Pretty basic.
> >> >
> >> > When I asked PSS on Friday if she thought we were compromised, her
> > initial
> >> > answer was no.  She believes someone ran a port scan and found port
25
> >> open
> >> > and spammed it with NDR's.
> >> >
> >> > I don't know.  I've never experienced this before with any of my
> > clients.
> >> >
> >> > Thanks.
> >> >
> >> > Marcia
> >> >
> >> >
> >> > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
> >> message
> >> > news:Og2j%23Ko9EHA.1392@tk2msftngp13.phx.gbl...
> >> > > Hi Marcia,
> >> > >
> >> > > If you suspect a security issue, you can call the MS Security Team.
> > This
> >> > is
> >> > > free. They will check your server thoroughly. Did/do you have any
> >> > suspicion
> >> > > at all that the server might have been compromised? Which ports are
> > open
> >> > > inbound?
> >> > >
> >> > > -- 
> >> > > Regards,
> >> > >
> >> > > Marina
> >> > > Microsoft SBS-MVP
> >> > > One of the Magical M&M's
> >> > >
> >> > > "Marcia" <mkp@1248.com> schreef in bericht
> >> > > news:u3iK3Ho9EHA.2196@TK2MSFTNGP11.phx.gbl...
> >> > > > Hi!  I value the expertise from this news group, I wanted to seek
> > your
> >> > > > opinion on a security issue.
> >> > > >
> >> > > > We had problems with our server just before Christmas and
replaced
> > the
> >> > > > motherboard and had to completely uninstall/reinstall IIS and
> > Exchange
> >> > > with
> >> > > > the PSS.  I'm still not convinced that the motherboard was bad,
but
> > it
> >> > is
> >> > > > now in the hands of the vendor under warranty repair.
> >> > > >
> >> > > > PSS and I had the server back up and operational after several
> >> > > > days.
> >> > > >
> >> > > > On the 4th, we started receiving tons of NDR's.  In the 7th, the
> >> server
> >> > > > slowed down to a near stop.  I contacted PSS again only to find
> >> > > > that
> >> we
> >> > > were
> >> > > > relaying via our loopback ip.  Also, dns entries were in the
> >> > > > Default
> >> > SMTP
> >> > > > Virtual Server of our ISP.  These were not added there when PSS
and
> > I
> >> > > > completed the initial round.
> >> > > >
> >> > > > We removed the loopback ip from our relay list and the dns IP's
> >> > > > from
> >> the
> >> > > > Def. SMTP Vir. Server.  Now email is functioning again.
> >> > > >
> >> > > > My big question is this:  We thought we had the server completed
> > when
> >> > this
> >> > > > issue appeared on the 7th.  How do we know if other issues will
> >> randomly
> >> > > pop
> >> > > > up and if we weren't hacked with a backdoor?  In otherwords, the
> >> initial
> >> > > > down time was caused by something (I don't believe it was
> >> > > > hardware).
> >> > How
> >> > > do
> >> > > > I know if it was an attack and if the loopback/isp dns's were the
> >> result
> >> > > of
> >> > > > a backdoor?
> >> > > >
> >> > > > Has anyone ever contacted MS Security group for PSS?  I assume
they
> >> have
> >> > > the
> >> > > > tools and experience to maybe answer this question.
> >> > > >
> >> > > > I don't want anything else to come up and I'm seriously wondering
> >> > > > if
> >> > > > reformatting and starting over is the only secure way.  I know
that
> > is
> >> > > > rash--and I haven't decided to do that yet.
> >> > > >
> >> > > > I am merely querying the opinions of this group.
> >> > > >
> >> > > > And again, as always, I appreciate you more than the word
"Thanks"
> > can
> >> > > ever
> >> > > > convey.  The generousity and knowledge of this group is
> > overwhelming.
> >> I
> >> > > > doubt that I'll ever be able to provide the knowledge level that
I
> >> > > > recieve--I can only keep trying.
> >> > > >
> >> > > > Marcia
> >> > > >
> >> > > >
> >> > >
> >> > >
> >> >
> >> >
> >>
> >>
> >
> >
>
>