by   June 29 2012   
When do you need to rethink your external services? SMTP, POP3, Webmail, Remote Desktop, IIS 80, when you have many services running on a single box and do not keep those services update you end up with a security in reverse system. The key to identifying that this system was not managed correctly was the IIS server was setup with their old website. This server was retired and repurposed in my opinion and not updated. Like a SBS2003 system after DCPromo you need to stop the updates if on the same network which would mean this missed the 3-15 exploit update. Signs of Security in Reverse: Case 129 ITR-03152012

Signs of Security in Reverse: Case 129 ITR-03152012

This example is of a simple port scan over an IP address range.

We can speculate to what this server was looking for but that's not really why the information is posted here.

The issue is clearly a Security in Reverse issue in that the services confirmed to be active on this server was only SMTP services actually MS Exchange is the software running.

The IT Person was notified of the issue and this was reported before the RDP exploit if I recall. The issue was labeled as a Zeus by me on 3-16 after reviewing logs. Not that it was related to Zeus, I need to catalog items then review them in detail later. This case was dropped after no attempt was made to secure the 3389 port.

I'll have more about this in the training section referencing this network.

The 3-15-2012 was later tested 6-28-2012 and found no changes to the external port or services have been made. This offers me the opportunity to say, 3389 should never be used and if you run Remote FX you might need to dig deep for setting the defaults from 3398 to something not so common.

Issues noted:

  • RDP Port 3389
  • HTTP Port 80 (IIS Abandoned but active)
  • HTTPS Port 443 (IIS Abandoned but active)
  • FTP Port 21 Auth basic

This issue from the notes is that this system is a primary pop server running MS Exchange. The mail.x address offers port 80, 443 21 services which means the IIS server is enabled and might be used for the Remote Work Place software in SharePoint or Exchanges Webmail services. The port 3389 open might be from the remote workplace settings which should be changed. In any case, this being a public server should have private access to the services. I find it easier change port assignments and configure Firewalls differently than to fight with deeper settings.

Disable any services you do not need. Schedule access times and inform your customer that after midnight the only people online are those downloading, researching or writing about research.

 


4 open ports:
PTR 9x-x7x-xx9-x6 mail.smtp . com 24 hrs

  25 smtp Success 31 ms
  80 http Success 31 ms
  443 https Success 31 ms
  3389 remote desktop Success 31 ms
Our firewall triggered a block status on your email server attempting to connect.
Below is a copy of our firewall logs.


2012-03-15 16:23:21 , Denied, policy=Packet-00, protocol=icmp, src_ip=9x-x7x-xx9-x6, dst_ip=9x.xx5.xx.176, rc=101, pckt_len=60
2012-03-15 16:23:21 Denied Packet-00, protocol=icmp, src_ip=9x-x7x-xx9-x6, dst_ip=9x.xx5.xx.177
2012-03-15 16:23:21 Denied, Packet-00, protocol=icmp, src_ip=9x-x7x-xx9-x6, dst_ip=9x.xx5.xx.180
2012-03-15 16:23:21 Denied, Packet-00, protocol=icmp, src_ip=9x-x7x-xx9-x6, dst_ip=9x.xx5.xx.181
2012-03-15 16:23:21 ip scan=Deny, icmp, src_ip=9x-x7x-xx9-x6, dst_ip=9x.xx5.xx.181
2012-03-15 16:23:21 blocked sites, =Deny, protocol=icmp, src_ip=9x-x7x-xx9-x6, dst_ip=9x.xx5.xx.182
2012-03-15 16:23:21 blocked sites, =Deny,protocol=icmp, src_ip=9x-x7x-xx9-x6, dst_ip=9x.xx5.xx.183
2012-03-15 16:23:21 blocked sites, Deny, protocol=icmp, src_ip=9x-x7x-xx9-x6, dst_ip=9x.xx5.xx.184

 

 

When do you need to rethink your external services? SMTP, POP3, Webmail, Remote Desktop, IIS 80, when you have many services running on a single box and do not keep those services update you end up with a security in reverse system. The key to identifying that this system was not managed correctly was the IIS server was setup with their old website. This server was retired and repurposed in my opinion and not updated. Like a SBS2003 system after DCPromo you need to stop the updates if on the same network which would mean this missed the 3-15 exploit update. Signs of Security in Reverse: Case 129 ITR-03152012