Exchange server problems...Relay restrictions....

Discussion in 'OT Technology' started by fintheman, Feb 14, 2007.

  1. fintheman

    fintheman I will ebay O/T!

    Joined:
    Oct 5, 2005
    Messages:
    2,092
    Likes Received:
    0
    Location:
    Brentwood, TN
    Could someone please list me any logical reasons why someone would allow SMTP relays from subnets inside of a LAN when there is only one exchange server.

    This is on a college campus network mind you, granted, the subnets is "faculty," we all know how that can go.

    And an entry of 10.10.0.0 ???? Aren't there publically available ip's in that range.

    This server is just getting hijacked - and it had 4400 virtual smtp servers in the queue when I got to it. All kinds of odd shit going to Tawain. (yes, it was spamming). I don't know how long it has been going on here, but I've quelled the fire, and there are only a few .tw connections, and I block em when I notice there are active sessions that last for awhile. Of course, blocking an IP is not a solution either.

    The mails do not have [email protected], so it isn't a reverse ndr attack. The smtp does not register as open to mxtoolkit.com / dnsstuff.com.

    I've been into the packet shaper and I can't find any odd port usage, just normal use except for the bump in SMTP traffic coming from the exchange server.

    Any thoughts, or questions?

    My thoughts...

    There is a computer that is on one of those subnets that is using that open relay. Solution would be to close all relaying. (I need to run smtp logging, to see if I can get some LAN IP addresses out of the shit)
     
  2. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    I believe that 10.10.x.x is the IP range for a Class 2 private network, like how 192.168.0.x is the IP range for a Class 3 private network.

    The only reason I can think of why SMTP relays would be allowed inside a private network is if there are, or there used to be, multiple email servers maintained by separate departments, regardless of whether people are "supposed" to be using the single Exchange server.

    I would shut off all relaying and then manually approve specific exceptions as needed, rather than trying to make a proven-insecure approach work.
     
  3. fintheman

    fintheman I will ebay O/T!

    Joined:
    Oct 5, 2005
    Messages:
    2,092
    Likes Received:
    0
    Location:
    Brentwood, TN
    Thats what I exactly thought.....I just wasn't sure if those exceptions were actually put there for a good reason before I took them out.
     
  4. fintheman

    fintheman I will ebay O/T!

    Joined:
    Oct 5, 2005
    Messages:
    2,092
    Likes Received:
    0
    Location:
    Brentwood, TN
    2007-02-14 19:06:19 202.83.173.156 none-dc16a5cd2d SMTPSVC1 BCMAIL 10.10.0.10 0 RCPT - +TO:<[email protected]> 250 0 37 34 0 SMTP - - - -
    2007-02-14 19:06:19 202.83.173.156 none-dc16a5cd2d SMTPSVC1 BCMAIL 10.10.0.10 0 RCPT - +TO:<[email protected]> 250 0 33 30 0 SMTP - - - -
    2007-02-14 19:06:19 202.83.173.156 none-dc16a5cd2d SMTPSVC1 BCMAIL 10.10.0.10 0 RCPT - +TO:<[email protected]> 250 0 34 31 0 SMTP - - - -
    2007-02-14 19:06:19 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 MAIL - +FROM:<[email protected]> 250 0 68 55 0 SMTP - - - -
    2007-02-14 19:06:19 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 RCPT - +TO:<[email protected]> 250 0 36 33 0 SMTP - - - -
    2007-02-14 19:06:19 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 RCPT - +TO:<[email protected]> 250 0 32 29 0 SMTP - - - -
    2007-02-14 19:06:19 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 RCPT - +TO:<[email protected]> 250 0 36 33 0 SMTP - - - -
    2007-02-14 19:06:19 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 RCPT - +TO:<[email protected]> 250 0 34 31 0 SMTP - - - -
    2007-02-14 19:06:19 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 RCPT - +TO:<[email protected]> 250 0 30 27 0 SMTP - - - -
    2007-02-14 19:06:22 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 DATA - <[email protected]> 250 0 138 6980 1625 SMTP - - - -
    2007-02-14 19:06:22 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 DATA - <[email protected]> 250 0 138 6967 2672 SMTP - - - -
    2007-02-14 19:06:22 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 MAIL - +FROM:<[email protected]> 250 0 68 55 0 SMTP - - - -
    2007-02-14 19:06:22 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 RCPT - +TO:<[email protected]> 250 0 39 36 0 SMTP - - - -
    2007-02-14 19:06:22 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 RCPT - +TO:<[email protected]> 250 0 35 32 0 SMTP - - - -
    2007-02-14 19:06:22 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 RCPT - +TO:<[email protected]> 250 0 33 30 0 SMTP - - - -
    2007-02-14 19:06:22 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 RCPT - +TO:<[email protected]> 250 0 33 30 0 SMTP - - - -
    2007-02-14 19:06:22 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 RCPT - +TO:<[email protected]> 250 0 36 33 0 SMTP - - - -
    2007-02-14 19:06:22 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 RCPT - +TO:<[email protected]> 250 0 34 31 0 SMTP - - - -
    2007-02-14 19:06:22 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 RCPT - +TO:<[email protected]> 250 0 37 34 0 SMTP - - - -
    2007-02-14 19:06:23 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 MAIL - +FROM:<[email protected]> 250 0 68 55 0 SMTP - - - -
    2007-02-14 19:06:23 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 RCPT - +TO:<[email protected]> 250 0 34 31 0 SMTP - - - -
    2007-02-14 19:06:23 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 RCPT - +TO:<[email protected]> 250 0 32 29 0 SMTP - - - -
    2007-02-14 19:06:23 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 RCPT - +TO:<[email protected]> 250 0 35 32 0 SMTP - - - -
    2007-02-14 19:06:23 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 RCPT - +TO:<[email protected]> 250 0 35 32 0 SMTP - - - -
    2007-02-14 19:06:23 221.6.15.156 20060305-yfxl52 SMTPSVC1 BCMAIL 10.10.0.10 0 RCPT - +TO:<[email protected]> 250 0 30 27 0 SMTP - - - -
     
  5. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    10.x.x.x is the Private Class A address. One reason we have specific IP addresses is for copiers that can scan and email PDF's.

    You don't have a problem with people outside of your network spamming - it's computers inside.
     
  6. fintheman

    fintheman I will ebay O/T!

    Joined:
    Oct 5, 2005
    Messages:
    2,092
    Likes Received:
    0
    Location:
    Brentwood, TN
    actually, I think I narrowed this shit down.

    Its a fucking mass mailing worm.
     
  7. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Class A, huh? I coulda sworn it was Class B (or as I mis-termed it, Class 2). Oh well. What's the real Class B IP range?
     
  8. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Well, that fits with what you were seeing...so those SMTP relays may well have been created by the worm to make it virtually impossible to block. Can you disable all relaying with a single click, or are you going to have to hunt it down box by box?

    The approach my college took to this was to automatically and instantly block any computer observed to be broadcasting worms. You had to go to the helpdesk with your MAC address (or failing that, your computer itself) before they would unblock you.
     
  9. CyberBullets

    CyberBullets I reach to the sky, and call out your name. If I c

    Joined:
    Nov 13, 2001
    Messages:
    11,865
    Likes Received:
    0
    Location:
    BC, Canada/Stockholm, Sweden
    There are 5 ranges: A through E

    A: 1.0.0.1 -- 126.255.255.254
    B: 128.1.0.1 -- 191.255.255.254
    C: 192.0.1.1 -- 223.255.254.254
    D: 224.0.0.0 -- 239.255.255.255 (Reserved)
    E: 240.0.0.0 -- 254.255.255.254 (Reserved)
     
  10. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    That's not quite what I meant. There are ranges reserved for exclusive use by private networks, such that no public ping can reach a computer on the "inside" without passing through router providing NAT. 192.168.0.x is the reserved range for small private networks with single subnets, hence why home routers use that range; there are two other ranges, one allowing multiple values in bytes 3 and 4, and the other allowing multiple values in bytes 2, 3, and 4. What are these reserved IP ranges again?
     
  11. CyberBullets

    CyberBullets I reach to the sky, and call out your name. If I c

    Joined:
    Nov 13, 2001
    Messages:
    11,865
    Likes Received:
    0
    Location:
    BC, Canada/Stockholm, Sweden
    10.0.0.0 -- 10.255.255.255 is the Class A Reserved Internal Usage
    172.16.0.0 -- 172.31.255.255 is the Class B Reserved Internal Usage
    192.168.0.0 -- 192.168.255.255 is the Class C Reserved Internal Usage
     
  12. fintheman

    fintheman I will ebay O/T!

    Joined:
    Oct 5, 2005
    Messages:
    2,092
    Likes Received:
    0
    Location:
    Brentwood, TN
    Holy shit...

    I gotta track this shit down one way or the other.

    The server has nothing on it / I've ran every tool known to man kind. I gotta track down w/e the hell is on this network causing that crap....
     
  13. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Ahh.
     
  14. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Student PCs.
     
  15. fintheman

    fintheman I will ebay O/T!

    Joined:
    Oct 5, 2005
    Messages:
    2,092
    Likes Received:
    0
    Location:
    Brentwood, TN
    Gawh, I wish I had better tools to monitor the network bandwidth/ports, etc.,

    I gotta try to do this from the packetshaper....
     
  16. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    So... why don't you just shut down the internal relay?
     
  17. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    It sounds like the relays might be provided by SMTP servers created and operated by the worm itself. Without hunting down every instance of the worm, he might never get it under control.
     
  18. fintheman

    fintheman I will ebay O/T!

    Joined:
    Oct 5, 2005
    Messages:
    2,092
    Likes Received:
    0
    Location:
    Brentwood, TN
    Correct, there is 0 relaying on.
     
  19. fintheman

    fintheman I will ebay O/T!

    Joined:
    Oct 5, 2005
    Messages:
    2,092
    Likes Received:
    0
    Location:
    Brentwood, TN
    Ehh, too bad I'm doing all of this remotely, I have a feeling if I setup another machine with the SMTP service on it as a honeypot, I could track it down a little faster.

    I've been monitoring connections, and found one odd culprit. (it keeps a virtual smtp server open for 60 secs + and its on the local IP)
     
  20. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Go Gestapo on it. Deny access to every machine you suspect of causing problems first, and clean up the mess later.
     
  21. fintheman

    fintheman I will ebay O/T!

    Joined:
    Oct 5, 2005
    Messages:
    2,092
    Likes Received:
    0
    Location:
    Brentwood, TN
    Done. Found backdoor.win32.delf.tz on it -

    It has like 12 concurrent connections to the exchange server and will keep a session open for at least 120 seconds at a time in the SMTP virtual servers.
     
  22. MattR2

    MattR2 New Member

    Joined:
    Sep 6, 2004
    Messages:
    408
    Likes Received:
    0
    sounds like your going about it the right method. Forget the honeypot idea. Its a nice little tech dream but it will just take you all day to set up and then fuck around with to get it working just right. Leave that bullshit to slashdot wet dream kiddies.

    If you've already shut down relaying your set. If your still having connections then the server is probably infected, sounds like you figured this out already. Still having any problems?
     
  23. fintheman

    fintheman I will ebay O/T!

    Joined:
    Oct 5, 2005
    Messages:
    2,092
    Likes Received:
    0
    Location:
    Brentwood, TN
    I got it figured out, kinda of.

    there IS something wrong with the exchage server, it was relaying connections from the outside.

    I had to make a rule in the firewall to stop inbound smtp connections, and it stopped the shit.

    Fucking MS exploits or some shit.
     
  24. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    Umm

    If you prevent SMTP inbound connections, your exchange server can't receive valid emails from outside of your firewall.
     
  25. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    :noes:
     

Share This Page