Anatomy of a hack: mail server

Today I’ve been fixing a problem with my mail server after someone “hacked” (cracked) it. I’m reconstructing the chain of events as best I can, but the causality wasn’t obvious at the time.

Background: this machine is running Windows Server 2003 SP1 with Exchange Server 2003 SP2.

A few weeks ago, someone gained unauthorised access to the server over the internet. I’m not sure how exactly, but I suspect that they used a buffer overflow in IIS (since the server runs OWA). The server is up to date with all the relevant security patches, so that shouldn’t be possible, but something obviously went wrong.

Continue reading “Anatomy of a hack: mail server”

Firewall blacklist

One of my current projects is configuring ISA 2004 as a firewall. Without wanting to get sidetracked into advocacy debates, all I’ll say is that:
a) It’s a lot better than ISA 2000.
b) It’s annoying that it doesn’t support more than one internet connection, so hopefully they’ll fix that in ISA 2006.

Anyway, today I got hold of some blacklists (i.e. a long list of dodgy websites), and set up rules to block them. While I generally think that enumerating badness is a doomed endeavour, enumerating goodness is a bit tricky for websites, so this seems like a reasonable step (in conjunction with other rules). So, once I’d imported these lists, I then tested them, by trying to access the blocked websites on my PC. This is where typos can cause problems…

Me: “Let’s see, http://www.killerporn.com/ … aargh!”
Server: “Tum te tum, I’m blocking http://www.killerpornstars.com/ as ordered.”
Me: “Ok, let’s add this site to the list as well, then try that again…”

Similar problems occured with the various permutations of “0Adult-manga.com”. So, when the report gets run tonight, my traffic may look a bit dodgy tomorrow. In the sense of “My eyeballs are bleeding!”

Ah well, it’s a living.

(Just to state the obvious, I don’t recommend following those links, especially if you’re at work!)