Help! Mail server has been compromised...

[DanglingPointer]

Somehow our mailserver has been compromised and is being used to transmit junk mail.

I finally got the story from our ISP who blocked the SMTP smarthost because we were transmitting huge amounts of junk mail. I had noticed the port scans on a certain IP address for a while, but had no idea this was the external IP address of our mailserver!

The only ports open from beyond the firewall(s) (we have 2 ADSL conns) are 80 and 25. We use 80 as a web file pickup point, and 25 for SMTP.

Using NTFILEMON from

http://www.sysinternals.com;

the only process I can see writing to the exchange database is "store.exe". I can't see anything writing to the mail queue, but it is absolutely clogged with junk mail...

Any ideas what the junk-mail sending program might be, and how to stop it? Also what security holes might have been exploited to install this in the first place?

*Really* hope someone can help here - i'm pretty new to the job, and theres no-one else here to ask...

 

[karmic]

What mailserver are you running? exchange? merak? domino?

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[Robnhood]

First place I would go is to:

http://www.abuse.net/relay.html

and I would check to see if my email server is an open relay.

I have a compiled a bunch of links that might also be helpful here:

http://www.securelyspeaking.com/modules.php?name=Web_Links&l_op=viewlink&cid=13

Craig

http://www.SecurelySpeaking.com

 

[DanglingPointer]

Hi

karmic - we are using Exchange 2000.

Our ISP already confirmed that we are not an open relay.

The problem appears to be related to the program "Gator" which was creating the junk mail. Once I removed Gator the junk mail stopped appearing in the queue.

So I phoned our ISP to get the block removed, which they did - but we still can't send mail.

I am not sure what the problem could now be, the worse case scenario is that a backdoor has been installed on the machine and exchange has been replaced by a trojan version. Outgoing mails are still being put in the queue though, so i'm clueless as to whats wrong.

 

[Spirit]

Gator is an Advertising plug in which lets you down load "Free" versions of software.

First your issue.

Can you send mail at all? Try sending an email to your ISP then to say hotmail or who ever verify whether it works at all.

Some companies will automatically block individuals / entire domains should even one piece of mail be considered spam / virus infected. This is mostly larger companies but there is a variety of software to do this. So it may be that you have to contact them individually to ensure that you are not black listed.

Can you send mail at all?

Secondly, who ever installed this software, you should get you e-policy and smack them round the head with it. I would also strongly recommend virus scanning everything just to be on the safe side.

 

[happytom]

I had the same problem, I called my ISP and they turned off port 25 off and I had to use thier smtp gateway for sending mail. If that is the case then you can forwared your mail to thier smtp server.
If that is not the case then you need to see if port 25 is open and running. Here are some questions that need to be answered: 1. Do you have a firewall? If you do then you need to see,test the open port. You can use Linux and use NMap to the ipaddress of the firewall to see what open ports you have, you can also telnet to port 25 and see if it is open that way.
Check if you have anyother programs that are running port 25.

Let me know
Happy.