Jump to content

Company Email Hijacked


ShortCut
 Share

Recommended Posts

Since my main focus has always been hardware hacks and OS's this problem is a little outside my realm. Two days ago my boss complained that he had 1400 returned emails in his inbox. It seems that our email server may have been breached and somebody used it to send thousands of Chinese spam emails. Now our company has been put on the email blacklist and we are fighting to get this runaway train to stop.

The morning we discovered the issue, we immediately killed the sales@sybatech.com email address in Microsoft Exchange.

Any ideas?

Here's one of the headers (I also attached a saved copy of the email):

Received: from mail.sybatech.com (unknown [173.165.112.213])

by mx16 (Coremail) with SMTP id QsCowECJHVc7AgRQjXUuBg--.993S2;

Mon, 16 Jul 2012 19:59:56 +0800 (CST)

Received: from localhost (localhost.localdomain [127.0.0.1])

by mail.sybatech.com (Postfix) with ESMTP

id 994A82A8100; Mon, 16 Jul 2012 06:59:52 -0500 (CDT)

Received: from mail.sybatech.com ([127.0.0.1])

by localhost (emailserver [127.0.0.1]) (amavisd-new, port 10024) with LMTP

id 07050-01-5; Mon, 16 Jul 2012 06:59:33 -0500 (CDT)

Received: from hvwkns (unknown [42.49.128.155])

by mail.sybatech.com (Postfix) with ESMTP

id 0C08C2A80FD; Mon, 16 Jul 2012 06:59:22 -0500 (CDT)

Message-ID: <20120716200750226845@sybatech.com>

From: =?utf-8?B?5r2Y5a6B5aiF?= <sales@sybatech.com>

To: <gusuhang@163.com>

Subject: =?utf-8?B?5pyJ5pWI6LCDeuWyl+iwg3XolqrlkozkvIFx5Lia5bi46KeB5YqzZuWKqOS6iWrorq4=?=

=?utf-8?B?5aSE55CG5a+5c+etlu+8gQ==?=

Date: Mon, 16 Jul 2012 20:07:45 +0800

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0E37_01A48561.19A8AAF0"

X-mailer: Thfifmdkl 2

X-Virus-Scanned: by ClamAV 0.83

X-CM-TRANSID: QsCowECJHVc7AgRQjXUuBg--.993S2

X-Coremail-Antispam: 1Uf129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7v73

VFW2AGmfu7bjvjm3AaLaJ3UbIYCTnIWIevJa73UjIFyTuYvjxUVk9NUUUUU

Edited by Shortcut
Link to comment
Share on other sites

First off 42.49.128.155 is the chinese address.

IP Information for 42.49.128.155 IP Location: China Changsha China Unicom Hunan Province Network

ASN: AS4837

IP Address: 42.49.128.155

42.0.0.0/8

Block their subnet for starters so they can't reach you, but doubt that will stop the attacks, they could just come back via proxy or even backdoor if they rooted any of the servers. If they already got in to send the emails,most likely a breach somewhere has taken place, and full investigation of your entire network needs to be done. Possibly even a full blown penetration test.

If mail.sybatech.com is your real system, make sure no one can abuse sendmail as well. Most attacks are done like this becuase no one bothers to lock down sendmail. I know you mentioned using Exchange, but if its open on the web side, people could be abusing it with automated spam bots.

If this is also your site: 173.165.112.213 look into Sugar CRM. I think theres some vulns for it, they could have pivoted off it to the inner network.

Edited by digip
Link to comment
Share on other sites

There's a possibility your mail server could be infected, I'd also look into enabling SPF in your mail server to prevent further spamming.

http://en.wikipedia.org/wiki/Sender_Policy_Framework

Link to comment
Share on other sites

This may be an overlooked thing. But make sure open-relay is disabled on your mail server.

Good point, but if the mail server has indeed been compromised, the attackers could have enabled "open relay".

Edited by Infiltrator
Link to comment
Share on other sites

Appreciate all the input and thoughts. I understand the basics of networking, but right now I'm in the middle of mastering (if anyone actually can) SQL Server and have little time for much else.

Spitz

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...