Re: group opinion requested

From: Marcia (mkp_at_1248.com)
Date: 01/10/05 

Date: Sun, 9 Jan 2005 20:33:11 -0500

I can remember Susan Bradley saying about a year or so ago that sometimes
the only way to be sure you're secure again is to start all over. I don't
want to mis-quote her because it was after several posts, and another series
of posts, but once you thought there was a security breach, the only true
way to be certain was to start again. Her comment was along that line.

Susan, you can chime in here too?

Marcia

"Matt Gibson" <mattg@blueedgetech.ca> wrote in message
news:OXn8Lyq9EHA.1296@TK2MSFTNGP10.phx.gbl...
> Keep us posted on how this goes.
>
> I didn't realize calling MS Security was a free call. Are there any
caveats
> to it being free?
>
> I'm always paranoid when it comes to problems like this. IF there was a
> backdoor, then there could be a rootkit on the system, and those are near
> impossible to detect, since the OS is lying to you.
>
> Evvvilll..
>
> -Matt
>
> "Marcia" <mkp@1248.com> wrote in message
> news:eU85yjo9EHA.2828@TK2MSFTNGP10.phx.gbl...
> > Hi Marina,
> >
> > So am I reading you right that this last one was pretty normal?
I'll
> > close port 80. I had it closed and Netopia told me to open it. I'll
> > contact MS Security just to be safe--especially since it's free.
Thanks.
> >
> > Marcia
> >
> >
> > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
> > message
> > news:ucb%238Zo9EHA.2552@TK2MSFTNGP09.phx.gbl...
> >> Hi Marcia,
> >>
> >> If you are not hosting your own website, you can close port 80 inbound.
> >> Those email attacks are pretty common. You will also see some security
> >> alerts with usernames as webmaster, abc, root, admin etcetera.
> >>
> >> --
> >> Regards,
> >>
> >> Marina
> >> Microsoft SBS-MVP
> >> One of the Magical M&M's
> >>
> >> "Marcia" <mkp@1248.com> schreef in bericht
> >> news:eTg$fSo9EHA.3592@TK2MSFTNGP09.phx.gbl...
> >> > Thanks for replying again. I and PSS didn't think it was copromised
> > prior
> >> > to this most recent event. We both believed the main problem being
due
> > to
> >> > the .NET patch.
> >> >
> >> > The ports I have opened are 25, 1723, 3389, 443, 4125, and 80 on the
> >> router.
> >> > We use OWA, RWW, our own smtp email, and the Internet. Pretty basic.
> >> >
> >> > When I asked PSS on Friday if she thought we were compromised, her
> > initial
> >> > answer was no. She believes someone ran a port scan and found port
25
> >> open
> >> > and spammed it with NDR's.
> >> >
> >> > I don't know. I've never experienced this before with any of my
> > clients.
> >> >
> >> > Thanks.
> >> >
> >> > Marcia
> >> >
> >> >
> >> > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
> >> message
> >> > news:Og2j%23Ko9EHA.1392@tk2msftngp13.phx.gbl...
> >> > > Hi Marcia,
> >> > >
> >> > > If you suspect a security issue, you can call the MS Security Team.
> > This
> >> > is
> >> > > free. They will check your server thoroughly. Did/do you have any
> >> > suspicion
> >> > > at all that the server might have been compromised? Which ports are
> > open
> >> > > inbound?
> >> > >
> >> > > --
> >> > > Regards,
> >> > >
> >> > > Marina
> >> > > Microsoft SBS-MVP
> >> > > One of the Magical M&M's
> >> > >
> >> > > "Marcia" <mkp@1248.com> schreef in bericht
> >> > > news:u3iK3Ho9EHA.2196@TK2MSFTNGP11.phx.gbl...
> >> > > > Hi! I value the expertise from this news group, I wanted to seek
> > your
> >> > > > opinion on a security issue.
> >> > > >
> >> > > > We had problems with our server just before Christmas and
replaced
> > the
> >> > > > motherboard and had to completely uninstall/reinstall IIS and
> > Exchange
> >> > > with
> >> > > > the PSS. I'm still not convinced that the motherboard was bad,
but
> > it
> >> > is
> >> > > > now in the hands of the vendor under warranty repair.
> >> > > >
> >> > > > PSS and I had the server back up and operational after several
> >> > > > days.
> >> > > >
> >> > > > On the 4th, we started receiving tons of NDR's. In the 7th, the
> >> server
> >> > > > slowed down to a near stop. I contacted PSS again only to find
> >> > > > that
> >> we
> >> > > were
> >> > > > relaying via our loopback ip. Also, dns entries were in the
> >> > > > Default
> >> > SMTP
> >> > > > Virtual Server of our ISP. These were not added there when PSS
and
> > I
> >> > > > completed the initial round.
> >> > > >
> >> > > > We removed the loopback ip from our relay list and the dns IP's
> >> > > > from
> >> the
> >> > > > Def. SMTP Vir. Server. Now email is functioning again.
> >> > > >
> >> > > > My big question is this: We thought we had the server completed
> > when
> >> > this
> >> > > > issue appeared on the 7th. How do we know if other issues will
> >> randomly
> >> > > pop
> >> > > > up and if we weren't hacked with a backdoor? In otherwords, the
> >> initial
> >> > > > down time was caused by something (I don't believe it was
> >> > > > hardware).
> >> > How
> >> > > do
> >> > > > I know if it was an attack and if the loopback/isp dns's were the
> >> result
> >> > > of
> >> > > > a backdoor?
> >> > > >
> >> > > > Has anyone ever contacted MS Security group for PSS? I assume
they
> >> have
> >> > > the
> >> > > > tools and experience to maybe answer this question.
> >> > > >
> >> > > > I don't want anything else to come up and I'm seriously wondering
> >> > > > if
> >> > > > reformatting and starting over is the only secure way. I know
that
> > is
> >> > > > rash--and I haven't decided to do that yet.
> >> > > >
> >> > > > I am merely querying the opinions of this group.
> >> > > >
> >> > > > And again, as always, I appreciate you more than the word
"Thanks"
> > can
> >> > > ever
> >> > > > convey. The generousity and knowledge of this group is
> > overwhelming.
> >> I
> >> > > > doubt that I'll ever be able to provide the knowledge level that
I
> >> > > > recieve--I can only keep trying.
> >> > > >
> >> > > > Marcia
> >> > > >
> >> > > >
> >> > >
> >> > >
> >> >
> >> >
> >>
> >>
> >
> >
>
>