Don't forget...there's also anonymous enumeration via
LDAP...port 389...

--- Kit <kitsmallfoxx.com> wrote:
>
> For the user enumeration, they could be using
> NetBIOS or SMB to determine
> who is actively logged into the machines if those
> ports are not being
> blocked. The first thing to do on this is to make
> sure you block all
> transmissions to and from TCP&UDP 135, UDP 137, UDP
> 138, TCP 139, and
> TCP&UDP 445 at the firewall unless you know you
> absolutely need them (only
> would be used if you were doing LanMan or NTLM
> authentication across the
> Internet). Also, they could be using LDAP, so
> disable TCP&UDP 389 at the
> firewall as well unless you have someone doing
> queries against your
> directory on purpose.
>
> As for finding out who is sending the e-mails, a lot
> of bounced messages
> will include the original message as an attachment.
> In this case, look at
> the header information of the message to find out
> where its being sent from.
> Someone may be attempting to use your system as a
> relay. However, there are
> some viruses out now which will spoof source
> addresses and it could simply
> be that someone your user knows is infected and
> sending out these falsified
> e-mails and your user is getting the bounces. If
> you're worried about
> someone spamming via your SMTP server, there are
> some MS Knowledge Base
> articles about how to secure your system from
> relaying; take a look there.
>
> -K
>
> -----Original Message-----
> From: Edward Cheong
> [mailto:ed.cheongoahucomputers.com]
> Sent: Friday, June 07, 2002 3:04 PM
> To: focus-mssecurityfocus.com
> Subject: Re: MS Exchange Server 5.5/ NT User Name
> Harvesting ?
>
>
> In-Reply-To:
> <20020607163318.12672.qmailmail.securityfocus.com>
>
> Hi,
>
> I am experiencing the same problem. How did you
> determine that the
> attackers are trying to use your exchange server as
> a spam relay? What
> signs do you look for (our user has received
> auto-response replies from a
> person she has never sent mail to, but apparently
> received a spam message
> from our user). Could spam be relayed from our mail
> server using a
> particular user as the sender? What other ways are
> there to find out
> information about the users (other than with the
> Watchguard firewall)?
>
> Thank you very much
>
> >
> >Hello,
> >
> >I work for a small company with about 100 computers
> on our network. Our
> >lone server is running on NT with all the latest
> hotfixes, service packs,
> >etc. Our mail server is MS Exchange 5.5, also with
> all the latest
> >hotfixes and service packs installed. Due to
> budgetary constraints
> >upgrading to newer software is not an option here.
> >
> >The problem we're having is that everytime one of
> our employees keeps
> >his/her computer logged on overnight, crackers are
> able to harvest the
> >username and they then proceed to run cracking
> attempts on it all night.
> >
> >From the security logs it looks like they are
> trying to use our mail
> >server as a spam relay. The only thing thats
> really stopping them is we
> >have all user accounts locked out from 5pm-7am.
> But we really don't know
> >whats going on during business hours.
> >
> >We have a Watchguard firewall up and running and
> its provided us with
> alot
> >of information, including the cracker's IP
> addresses, but we would really
> >like to know how to stop them from harvesting our
> Usernames.
> >
> >The usernames are not guessable, the only common
> thread that all the
> >usernames the crackers have harvested have is the
> fact that the Employee
> >left his/her computer on all night and logged into
> the network.
> >
> >Any suggestions would be most appreciated.
> >
> >Thanks
> >
>
>

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]