Re: group opinion requested

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Matt Gibson (mattg_at_blueedgetech.ca)
Date: 01/10/05 

Date: Sun, 9 Jan 2005 17:08:06 -0800

Intresting.

I'm in Canada...I think I'll do some looking into that.

-Matt

"Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in message
news:Og2Sf$q9EHA.3336@TK2MSFTNGP11.phx.gbl...
> Hi Matt,
>
> Yes, at least in the US it is free and of course 24/7 available. Wouldn't
> even know about Europe....
>
> --
> Regards,
>
> Marina
> Microsoft SBS-MVP
> One of the Magical M&M's
>
> "Matt Gibson" <mattg@blueedgetech.ca> schreef in bericht
> news:OXn8Lyq9EHA.1296@TK2MSFTNGP10.phx.gbl...
>> Keep us posted on how this goes.
>>
>> I didn't realize calling MS Security was a free call. Are there any
> caveats
>> to it being free?
>>
>> I'm always paranoid when it comes to problems like this. IF there was a
>> backdoor, then there could be a rootkit on the system, and those are near
>> impossible to detect, since the OS is lying to you.
>>
>> Evvvilll..
>>
>> -Matt
>>
>> "Marcia" <mkp@1248.com> wrote in message
>> news:eU85yjo9EHA.2828@TK2MSFTNGP10.phx.gbl...
>> > Hi Marina,
>> >
>> > So am I reading you right that this last one was pretty normal?
> I'll
>> > close port 80. I had it closed and Netopia told me to open it. I'll
>> > contact MS Security just to be safe--especially since it's free.
> Thanks.
>> >
>> > Marcia
>> >
>> >
>> > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
>> > message
>> > news:ucb%238Zo9EHA.2552@TK2MSFTNGP09.phx.gbl...
>> >> Hi Marcia,
>> >>
>> >> If you are not hosting your own website, you can close port 80
>> >> inbound.
>> >> Those email attacks are pretty common. You will also see some security
>> >> alerts with usernames as webmaster, abc, root, admin etcetera.
>> >>
>> >> --
>> >> Regards,
>> >>
>> >> Marina
>> >> Microsoft SBS-MVP
>> >> One of the Magical M&M's
>> >>
>> >> "Marcia" <mkp@1248.com> schreef in bericht
>> >> news:eTg$fSo9EHA.3592@TK2MSFTNGP09.phx.gbl...
>> >> > Thanks for replying again. I and PSS didn't think it was copromised
>> > prior
>> >> > to this most recent event. We both believed the main problem being
> due
>> > to
>> >> > the .NET patch.
>> >> >
>> >> > The ports I have opened are 25, 1723, 3389, 443, 4125, and 80 on the
>> >> router.
>> >> > We use OWA, RWW, our own smtp email, and the Internet. Pretty
>> >> > basic.
>> >> >
>> >> > When I asked PSS on Friday if she thought we were compromised, her
>> > initial
>> >> > answer was no. She believes someone ran a port scan and found port
> 25
>> >> open
>> >> > and spammed it with NDR's.
>> >> >
>> >> > I don't know. I've never experienced this before with any of my
>> > clients.
>> >> >
>> >> > Thanks.
>> >> >
>> >> > Marcia
>> >> >
>> >> >
>> >> > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
>> >> message
>> >> > news:Og2j%23Ko9EHA.1392@tk2msftngp13.phx.gbl...
>> >> > > Hi Marcia,
>> >> > >
>> >> > > If you suspect a security issue, you can call the MS Security
>> >> > > Team.
>> > This
>> >> > is
>> >> > > free. They will check your server thoroughly. Did/do you have any
>> >> > suspicion
>> >> > > at all that the server might have been compromised? Which ports
>> >> > > are
>> > open
>> >> > > inbound?
>> >> > >
>> >> > > --
>> >> > > Regards,
>> >> > >
>> >> > > Marina
>> >> > > Microsoft SBS-MVP
>> >> > > One of the Magical M&M's
>> >> > >
>> >> > > "Marcia" <mkp@1248.com> schreef in bericht
>> >> > > news:u3iK3Ho9EHA.2196@TK2MSFTNGP11.phx.gbl...
>> >> > > > Hi! I value the expertise from this news group, I wanted to
>> >> > > > seek
>> > your
>> >> > > > opinion on a security issue.
>> >> > > >
>> >> > > > We had problems with our server just before Christmas and
> replaced
>> > the
>> >> > > > motherboard and had to completely uninstall/reinstall IIS and
>> > Exchange
>> >> > > with
>> >> > > > the PSS. I'm still not convinced that the motherboard was bad,
> but
>> > it
>> >> > is
>> >> > > > now in the hands of the vendor under warranty repair.
>> >> > > >
>> >> > > > PSS and I had the server back up and operational after several
>> >> > > > days.
>> >> > > >
>> >> > > > On the 4th, we started receiving tons of NDR's. In the 7th, the
>> >> server
>> >> > > > slowed down to a near stop. I contacted PSS again only to find
>> >> > > > that
>> >> we
>> >> > > were
>> >> > > > relaying via our loopback ip. Also, dns entries were in the
>> >> > > > Default
>> >> > SMTP
>> >> > > > Virtual Server of our ISP. These were not added there when PSS
> and
>> > I
>> >> > > > completed the initial round.
>> >> > > >
>> >> > > > We removed the loopback ip from our relay list and the dns IP's
>> >> > > > from
>> >> the
>> >> > > > Def. SMTP Vir. Server. Now email is functioning again.
>> >> > > >
>> >> > > > My big question is this: We thought we had the server completed
>> > when
>> >> > this
>> >> > > > issue appeared on the 7th. How do we know if other issues will
>> >> randomly
>> >> > > pop
>> >> > > > up and if we weren't hacked with a backdoor? In otherwords, the
>> >> initial
>> >> > > > down time was caused by something (I don't believe it was
>> >> > > > hardware).
>> >> > How
>> >> > > do
>> >> > > > I know if it was an attack and if the loopback/isp dns's were
>> >> > > > the
>> >> result
>> >> > > of
>> >> > > > a backdoor?
>> >> > > >
>> >> > > > Has anyone ever contacted MS Security group for PSS? I assume
> they
>> >> have
>> >> > > the
>> >> > > > tools and experience to maybe answer this question.
>> >> > > >
>> >> > > > I don't want anything else to come up and I'm seriously
>> >> > > > wondering
>> >> > > > if
>> >> > > > reformatting and starting over is the only secure way. I know
> that
>> > is
>> >> > > > rash--and I haven't decided to do that yet.
>> >> > > >
>> >> > > > I am merely querying the opinions of this group.
>> >> > > >
>> >> > > > And again, as always, I appreciate you more than the word
> "Thanks"
>> > can
>> >> > > ever
>> >> > > > convey. The generousity and knowledge of this group is
>> > overwhelming.
>> >> I
>> >> > > > doubt that I'll ever be able to provide the knowledge level that
> I
>> >> > > > recieve--I can only keep trying.
>> >> > > >
>> >> > > > Marcia
>> >> > > >
>> >> > > >
>> >> > >
>> >> > >
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>

Quantcast