If you recall from last month's article "Malicious Hackers and Spam, Part 1" (http://www.winnetmag.com/article/articleid/41094/41094.html), a client was having a backup problem and poor server performance. I discovered that a spammer was using the client's server to relay spam. Although the server wasn't an open relay, the spammer was somehow authenticating to the server to send messages. My first concern was to prevent the spammer from sending more messages. I disconnected the firewall from the Internet and deleted all the sessions. I tried to use the Exchange System Manager (ESM) to delete the messages from the queues, but the process was taking a long time. I stopped all the Exchange services, opened a command prompt, and deleted the messages from the directory D:\exchsrvr\mailroot\vsi 1\queue. Stopping the Exchange services greatly improved the server performance, but more than 10,000 messages were waiting in various queues, so even using the command prompt to delete the messages took more than an hour. I changed all the passwords for every user on the network. I also looked at the bad mail directory in D:\exchsrvr\mailroot\vsi 1\badmail. The directory contained so many messages that I couldn't even view the number of files in the directory. I used a command prompt to delete all the files, which took approximately 8 hours. I then created a rule on the firewall to deny traffic from the IP ranges from which the spam originated. After making these changes, I reconnected the firewall to the Internet and monitored the server. Fortunately, the spam connection didn't reappear. This particular network had a couple of remote sites running VPN tunnels. I had originally suggested that the client company use "mini" firewalls to protect the remote users and perform the VPN encryption, but the client decided to use mobile clients instead to save money. However, the spam incident convinced the client to purchase the firewalls to protect the remote connections. When I went to one of the remote sites to install the firewall, I discovered that intruders had hacked the remote machine. The machine had the following hacking programs installed:
• Bat.mumu.A.worm
• Hacktool
• W32.valla.2048
• w32.HLLW.lovegate.J@mm
• Bat.Boohoo.worm
• MSBlast
This computer was left running all the time, with the tunnel active. It was just a matter of time before intruders attacked, which is why I always recommend that remote clients sit behind a firewall, especially if they use a broadband connection. If you must use a mobile VPN client, make sure that users turn off the computer when they're not using it and that they disable the tunnel if they don't need access to the corporate network. I rebuilt the workstation and placed the workstation behind a firewall. Whenever a computer is compromised, the only way to ensure that you've removed all the vulnerabilities is to format the hard disk and reinstall the OS. It's easy to overlook a hacker program and let the intruder regain control of the machine. By rebuilding the machine, you know you've removed all the hacker tools. When reinstalling the OS, don't forget the latest service pack and critical patches. Fortunately for this client, the intruder wanted to use the server only for spam; the intruder could have caused a lot more damage. My consulting firm has experienced a disturbing amount of hacking activity over the past few months. To keep your networks safe, make sure all your computers are up-to-date with the latest service packs and critical updates and that all your firewalls have the latest patches. If you have remote sites with mobile tunnels and broadband connections, consider installing a firewall, or at the very least, train users to turn off their computers when not in use. Also, make sure users know how to deactivate the tunnel when they're not connecting to the corporate network. The arms race has begun. This situation will get worse over time, not better. Make sure you have the proper countermeasures to protect your network.
Tip
Have you ever wondered where an IP address comes from? To determine the source, you can run a Tracert if the IP address is active. Another good resource for determining an IP address source is the Internet Assigned Numbers Authority (http://www.iana.org/ipaddress/ip-addresses.htm). This site contains links to worldwide sources that let you look up the ISP that has been assigned a block of IP addresses. This information is helpful when you're tracking down an IP address, in the event of a hack or other inappropriate use of the Internet. You need to take the IP address with a grain of salt because the hacker will often spoof the IP address of the attack or compromise a machine and launch the attack from an infected machine, but the source IP address is a good place to start.