IIS AND XCHANGE 5.5 on the same box

[manicman]

Hello. I know it is a no-no, but my money constraints are tight and I don't need to hear about shouldn't run this with that from MS on One Box (believe me I Know-I've been a tech since '81), but I have an IIS4/ NT4 sp6a/Exchange 5.5 box running swimmingly. When I switched on SMTP in IIS4, I experienced an Exchange crash. This, I have found out is not an isolated incident; It has been verified by colleagues in Ca., Colorado and N.Y. So I ask, Humbly, Is there a smtp workaround, such as postcast, or something that won't cost $900 like sendmail for NT that will work as a generic, happy, yippy skippy smtp server without thrashing the other components?

Yes, I could rollback to 5.0, But that is currently out of the question, since I have only one server box.!!! And a side by side reinstallation is sketchy.

Please to Help!

 

[abovebrd]

Well I was running exchange 5.5 and IIS 4.0 seamlessly on the same box. However as of 5 days ago I discovered the box had been HACKED multiple times. The box was totally compromised !!!!!!!!!!!!

IIS 4.0 was exploited and several utilities where uploaded on to my box. SUD.exe and firedaemon.exe

The punks then had total control of the box / IIS site. They set up their own base of operation for there EVIL purposes on my exchange server. I am not totally sure what EVIL had perpetrated from my box. I know that it went unnoticed for two weeks.

I would not run IIS and Exchange on the same box again. For that matter I wonder how secure these products really are. It seems like a good reason to migrate to HP openmail.

-Danny

 

[Guest_imported]

Turn off the SMTP service. It is interfering with Exchange. Exchange wants to use it;s on SMTp not the one bundled with IIS.

 

[TheOtherKiwi]

There are a couple of KB articales on this regarding a conflict of TCP ports (see NETSTAT -A) when using SMTP and IIS especially in the Windows 2000 environment but also NT from memory.

 

[jwilder]

What is the firedaemon? I'm a 'fresh' admin and found it on my Exchange Box. What is it and what do I do? I know it's not supposed to be there.

Can you point me to some info? Jason Wilder
IT/CAD Manager

 

[Zelandakh]

You can use IIS and Exchange seamlessly on the same box and they work very well.

As previously said, stop the SMTP service.

There are a lot of config details you need to set to minimise the chances of being hacked. Some simple, some very complex. Your Exchange ones can be given here, check out the IIS forum for tips on tying that down too.

For best results sit the lot behind a hardware firewall...

 

[abovebrd]

JWilder ,

If you have firedaemon running on your box and you did not not install it, your box has been compriomised and someone has complete control over. Your box is complelty hosed !!!!

Is now being used as a relay for pure evil!!!!


Take it off line asap.

look at

http://www.firedaemon.com

Also look for a service called SUD.EXE

The crakers exploit a weekness in IIS4.0 /5.0
They can somehow set up a secondary ftp server. They then upload firedaemon wich gives them complete control of yuor box via VNC, SUD.EXE allows them to run process as doamin users without a valid password.

BAD STUFF !!!!!!!!!!!!!

Contact me offline if want more info
dcd@pop.mainstreet.net



-Danny

 

[jwilder]

abovebrd,

Thanks. I was a step ahead of you on the URL. I checked out firedaemon and also found other links that gave me the info I needed. I ran through my server, found and deleted all the necessary files. I also did a manual inspection and edit of the registry to shutdown the services starting on boot up. Now I'll keep an eye on it.

Upon my investigation, I did find a supposed 'security patch' from Microsoft :/. Now all I can do is wait. But firedaemon is no longer on my system whatsoever and I'm comfortable at the moment, but I'll watch it closely.

I just hope more info comes out soon about the 'kit' that is attacking IIS/Exchange boxes. From what I've found it's a recent exploit. Jason Wilder
IT/CAD Manager

 

[abovebrd]

Please be careful,

These crackers put a backdoor on my system. They came right back in.

did you find SUD.EXE running ??

If so, you would have no idea what had been changed or executed remotly, This would be considered a total security comprise.

My box was a total loss !!

If firedaemon.exe was running on your box, it had been seriously compromised. I would consider a complete recovery. I do not think patching will be good enough.

Also did you kill the IIS site that was added.



-Danny

 

[Zelandakh]

Just a thought. Can you find the services required by firedaemon and set them to disabled? That way they can't reinstall them?

Would recommend ensuring your users and groups and your shares are tied down as much as possible - all the usual stuff like disabling guest accounts and so on.

I have found a password cracker which cracked half my company in 2 seconds....that worries me more than firedaemon!

 

[abovebrd]

Firedaemon should worry you, atleast just a little. Complete remote control of your NT server and resoucres (That feightens me!!!) It gets better because there is a utility that is part of the same kit called SUD.EXE From I i have read it allows a remote users to run any application or proccess as a doamin users, only no password is needed.

Zelandakh I would like to here more about this password cracker. That freigthens me as well.





-Danny