Posts

All of my Exchange 2010 services are stopped and disabled. Have I been hacked?

Recently Microsoft release Exchange service pack 1 rollup 7 unfortunatly this software was not tested. We have had multiple clients experience issues. To resolve follow the steps below or contact N2 Network Solutions.
Time and Material – 10.12.12 – exchange down
1.Set all exchange services to startup type according to default values:
http://technet.microsoft.com/en-us/library/ee423542.aspx
2.Check/set World Wide Web Publishing Service startup to auto
3.Check/set IIS Admin Service startup to auto
4.Check/set Windows Management Instrumentation startup to auto
5.Check/set Remote Registry startup type to auto
6.Restart server (starting services themselves did not seem to work properly)
7.Check System log for DistributedCOM 10016 error:
should it appear, find out which service is causing the problem by looking at HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{CLSID in the log} (most likely IIS Admin Service), run component services->DCOM Config->IIS Admin Service, properties and set local launch permission for the user mentioned in the log (in my case IIS APPPOOLDefaultAppPool – just do add, paste the whole IIS APPPOOLDefaultAppPool and check names). Restat server. This should handle the DCOM problem.
8.should be able to access Exchange mgmt console.
9.Check if OWA works, actually if any IIS folders work (in my case IIS was running but returning error 500). In this case use this guide Reset Client Access Virtual Directories.

My Linux Asterisk server getting hacked!

After seeing numerous entries to hack my linux box I decided it is time to learn how to implement iptables for security.
A copy of the log file an be found here log-file.
The way I can tell I’m being attacked is if I open my /var/log/messages file, which you can see in its entirety below. I see what appears to be a brute force SSH attack. I can see the attackers IP is 211.151.64.106. If I do a Arin lookup on this IP I see the network is in Asia and the ISP owns 210.0.0.0 – 211.255.255.255. Lucky for me I don’t need anyone in Asia access my box so I’m going to block this entire network.

First thing I need to do is very iptables is installed by typing:
iptables

The return I get is below this is good means iptables is already installed:
Try `iptables -h’ or ‘iptables –help’ for more information.
Next thing I need to do is list my current iptables rules:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

You can see from these rules I have absolutely none configured.
Next I’m going to add my rules to block the IP that is attacking my machine:
iptables -A INPUT -s 210.1.1.1/8 -j DROP
iptables -A INPUT -s 211.1.1.1/8 -j DROP
iptables -A INPUT -s 212.1.1.1/8 -j DROP

These are actually entire subnets that I’m blocking because they’re registered in Asia and my server doesn’t need to communicate with this ISP anyways.
The next thing I’m going to do is save my active iptables to my startup iptables so that these rules load when my computer reboots:
/etc/init.d/iptables save active
The next thing I’m going to do is reboot my server and verify these rules still exist:
shutdown -r now
Once the PC is back online I verify my rules:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all — 210.0.0.0/8 anywhere
DROP all — 211.0.0.0/8 anywhere
DROP all — 212.0.0.0/8 anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

You can see now that I have 3 active rules which will block all incoming communication from these three IP addresses.
Now don’t get me wrong I’m no Unix expert and I’m sure there is a way to combine all of these into one but I don’t feel like trying to figure out what it is right now. So this should get the job done.
If you want to delete any of these rules you can type the following respectively:
iptables -D INPUT 1
iptables -D INPUT 2
iptables -D INPUT 3

These three commands will effectively delete all of the entries I’ve made.
After going through my log file and blocking out all these IP’s I noticed a trend. They are all registered to foreign countries. Luckily for me my voice server doesn’t need to communicate with these countries. So I’ve decided to block all traffic to the Asian continent. You can do the same by copying and pasting the code here:
iptable-entry-syntax1 
A note on this if you decide you want to start over from scratch you can delete all of your chains by typing in
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X

My next step here is monitoring my /var/log/messages for awhile realtime to make sure I’m not getting attacked still. I can do this by typing the following:
tail -f /var/log/messages