Exchange mailboxes compromised - honeypot needed

[Stevehewitt]

Hi all,

Long story, but basically after I (network admin) left a company as the only network guy the company gave domain admin rights to about 4 other people (development managers - the company is a website development company).

Additionally, these people, and possibly more have been given the network default domain admin account details.

Now what's happened is that on the mail server, which is Exchange 2007 Ent, I've noticed that the permissions on all mailboxes across the company ave been changed to allow the default domain admin full access. This means that anyone with the domain admin password can use OWA to look at ANYONE's mailbox.

This obviously isn't the default settings for Exchange, and therefore has been explicitly changed in the last few months.

Now the obvious solution is to simply change the default domain admin password and reset the permissions. But ideally we want to find out who has being doing this.

My question is how can I log / audit / trace who is accessing OWA. I'm really after an IP (external or internal), or some other identifing marks as like I mentioned there are at least 4 (maybe 5) people who use / know the domain admin account so logging by username is no good at all...

We have access to ISA server 2006 - would this provide adequate logging for OWA? E.G. IP, time, date, full URL, and agent string....

Cheers,




Steve.

"They have the internet on computers now!" - Homer Simpson

 

[Foamcow]

Question.
If you left the company, why are you accessing their server?
I assume you have been explicitly asked to?

--
Tek-Tips Forums is Member Supported. Click Here to donate

<honk>*:O)</honk>

Tyres: Mine's a pint of the black stuff.
Mike: You can't drink a pint of Bovril.

 

[Stevehewitt]

Yep - the company director has explicity asked me for my assistance outside of my current employeers time as a freelance IT guy. The board was looking at options for the IT going forward and asked my opinion. I knew about the current security and he asked me to take a look - via a shadowed session on terminal services (which he screen recorded too).




Steve.

"They have the internet on computers now!" - Homer Simpson

 

[Foamcow]

Fair enough

You probably know more about this stuff than me (I'm quite inexperienced with Exchange but had reason to look at it closer lately) so apologies if I am off the mark here

Have you checked the logfiles in C:\WINDOWS\system32\LogFiles ? I think W3SVC1 may be what you need.

--
Tek-Tips Forums is Member Supported. Click Here to donate

<honk>*:O)</honk>

Tyres: Mine's a pint of the black stuff.
Mike: You can't drink a pint of Bovril.

 

[eyec]

check out the below link. probably one of the best sources around

http://sourceforge.net/search/?type_of_search=soft&type_of_search=soft&words=honeypot

 

[Stevehewitt]

Thanks for the replies guys:

Foamcow - cheers. Yeah, i've taken a look at the IIS logs which is a good start. However the username is a generic one so I can't use that, and it appears that it's being accessed from an internal server. E.G. Someone is RDP'ing into a server, then snooping at email from there.


EyeC - Cheers. Haven't used anything from sourceforge for a while so I'll give it a play.

Thanks again.

Steve.

"They have the internet on computers now!" - Homer Simpson

 

[2ffat]

See if this article has anything you can use.


James P. Cottingham
-----------------------------------------
[sup]I'm number 1,229!
I'm number 1,229![/sup]

 

[SamBones]

While it might be "interesting" to set up a honeypot and catch the person doing this, I think it's a dangerous approach.

I would start by changing the password and restoring the correct permissions on the mailboxes immediately. I would lock everything down immediately. The person doing this obviously has no moral sense, so I doubt they would hesitate to delete or damage anything the have access to. If they see any sign of you setting up a trap for them, they might feel it's best to wipe out as much of the systems as they can to cover their tracks. On top of that you have the risk of stolen information putting the company at risk.

By not acting first to protect the company assets, you might be putting yourself at legal risk too. If damage is done after you were brought in to help or protect them, part of the blame will lie with you.

 

[PcLinuxGuru]

Personally I do not believe a honeypot will do anything. A honeypots basic function is to allow the perp to believe they are on a valid server. Since they already had or have access they will know what you did.

If you want to catch the perp you can try this though... setup a mirrored exchange server on the same IP/network with full logging to a secured syslog server. Lockdown your good exchange server. Keep an eye on the logs and you will have your perp but it is a lot of work.

 

[damber]

The mailbox username is usually part of the OWA url - so in the IIS logs you can probably track a single IP looking at multiple mailbox accounts within a reasonable period (e.g. an hour or two etc), then you can see which of the privileged users mailboxes are accessed with that same IP. You should be able to knock up a script that will do this for you at the end of each day and report back the unique ip and mailbox username combinations.

But don't be surprised if it's more than one person. Maybe the development managers wanted to be able to have more control over their developers...

=======================================
LessThanDot - The IT Community of the 21st Century

A smile is worth a thousand kind words. So smile, it's easy!