Connection from *.*.*.* was successfully authenticated (AUTH LOG

[georgeks]

Hi Guys! I run a MS 5.5 Exchange server with SP3 installed on win NT4 with SP6a and anything else that microsoft has released for the OS. When I left the office last friday everything was ok. Today when i opened my mail i had to download about 15000 notifications .i saw that the mail server was relaying thousands of mail mesgs (spam about 50000 mesgs during the weekend). I freaked cause last year i had this "open relay" problem and it took me a few days to work it out. I checked the relay restrictions and they were all there. i tried to relay without authentication and the server reported 550.....
After hours of searching log files i noticed that before the mass mailing there was a connection where the mesg was
"Connection from 211.158.43.73 was successfully authenticated (AUTH LOGIN) as \admin." After playing with the restrictions in IMS and restarted the server i saw another mesg saying Connection from 211.158.*.* (dont remember the numbers)was successfully authenticated (AUTH LOGIN) as \webmaster!!!!!!!!!!!!!!!!!!!!!!
Right after that it started relaying spam as an authenticated user. I m not an open relay what is that?????
I m really confused here .
thx for any reply

 

[bettyb]

I just started to see these same attempts on my server. So far, they have not been successful in logging on. I am doing some research now to see what I should do. I will share info with or have you resolved?

 

[georgeks]

No i fixed it
If you need info on the matter i can tell you what it is.
But if you just see failed connection attempts then you dont need to nother. Sorry for the late respond i m currently on vacation.
george

 

[dennisbbb]

I have the same thing happen to my server. A guy from China, 218.7.157.254, attempted to authenticate numerous times, for hours at a time. Good thing the authentication was unsuccessful. I have tried to use the firewall to ignore this address but it doesn't seem to work.

This guy had attempted

/administrator
/admin
/webmaster
/web
/abc
/test

He seemed to love my server for some reason because he comes back once in a while. hehehe



What can I do to let this jerk know that I am watching them. Specifically what else can I do?

 

[567tech]

I'm kind of glad to see that i'm not the only one being 'hacked' by this guy in China. He has used admin, web, webmaster, etc... dennisbbb (MIS), don't feel bad...he loves my computer as well. He sends about 6 attempts every 6 to 12 hours.

If anyone can post a solution on how to stop these attempts it would be appreciated.

In the meantime, make sure these common user names (admin, web, webmaster, etc.) as well as your users have a good password associated with them to prevent unauthorized logins.

 

[georgeks]

Hi sorry for the late post i was on vacation.Here s what i did :
It started during the second week of july.

1) The spammer sends out mail as an authenticated user i came across these usernames
admin
root
webmaster
www
data
server
test
So i created these usernames and put a strong password and when the spammer was trying to authenticate failed.
This stopped the relaying problem but i still have a lot of failed authentication attempts.

2) I used easy to guess or to remember passwords because the users of my network are people who dont know much about computers and long funny passwords confused them. I changed that. Now we use only strong passwords. There are several programs that might help you generate good passwords.

3) i disabled the guest account. I DIDNT delete it.

4) I deleted accounts that previous administrators had left in the server.Actually there is no reason for more than 2 admin accounts.the ordinary and a backup. I found about 5 or 6 in the server.

5) I disabled all the NDRs. You can do that in axchange admin

6) READ these links they are VERY important AND apply the patch. As you ll see there is a flaw in the SMTP service in Exchange 5.5 either on winnt4.0 or win 2000, that allows someone outside your company to authenticate as a user of your company and send out mail. The fix was released AFTER Sp4 for exchange 5.5 so even if you have sp4 installed youre still affected by the flaw.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q310669

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-011.asp

http://support.microsoft.com/default.aspx?scid=kb;en-us;304115

Microsoft says that if you install the fix you re ok. But i m sure that it was a combination of all these steps that stopped the spam from passing through my server.
I STILL have many failed authentication attempts but it looks like everything is working fine now.I even deleted the accounts that i created to stop the spammer from authenticating and although he is trying to connect he fails.
SMTP service is working fine.If you want to stop even the connection attempts my best bet is to ban the ips on a firewall or a router .I tried with the firewall and it worked. But i dont wanna go through that cause i m afraid i might cut off legitimate mail.

8) Finally if for some reason you dont want to do anything from what i have described or you just want to increase even more the security on your server you can go to exchange administrator.open the properties for the internet mail service and you ll see a tab called delivery restrictions. It has 2 columns one says accept mesgs from and the other reject mesgs from. Put all your legitimate domain users in the accept mail from list, apply , restart ims and you re done.Even if someone authenticate as a domain user he wont be on your accept mail from list so his mail is automatically rejected.

I hope it works out for you guys as it did for me.
good luck
george