Jim, ATM I have exchange set to dis-allow outbound mail, just to be safe. I want to have something more then just a simple home-level nat box before I allow anything more out, pending a full while and re-load. The damage done was to the box itself. The few pieces of email that needed to go out this weekend (seven or eight, I think) used my personal mail server as the outbound. Forgive me if I'm not making any sense, I've been burning the candle at both ends... ~Nick -----Original Message-----
From: Jim Popovitch <yahoo@jimpop.com> Sent: Jul 6, 2008 11:55 AM To: nanog <nanog@nanog.org> Subject: Re: tacid.org
On Sun, Jul 6, 2008 at 11:09 AM, Nick Shank <nick@laststop.net> wrote:
After doing a bit of digging, it doesn't appear the any of the tacid.org ip-space is blacklisted (one less battle I have to fight). Fortune 100? Nope. Just a small non-profit org in Tacoma, WA, that got their exchange box rooted. I'm still trying to figure out the full extent of the damage done, but this point, I believe 99.7% of the outbound mail is legit. In-bound is another story entirely, but that's my own private hell to deal with.
This in no way is a negative assumption on your skills. There is some important information missing from the above details. You wrote that your Exchange box was rooted, but you didn't indicate what you did to resolve that. I'm not looking for the details of what you did, just an overall statement about how you rectified it. You also indicate that you are still assessing the full extent of the damage, is that to the Exchange box or to the IP space?
Thanks,
-Jim P.
On Sun, Jul 6, 2008 at 3:55 PM, Nick Shank <nick@laststop.net> wrote:
Jim, ATM I have exchange set to dis-allow outbound mail
Hi Nick, I (personally) don't think that is enough. If the box was rooted, there could be bots (i.e. other processes) sending outbound email. Those processes could be persistent or periodic, and they could be additional services or sub-processes of known-good services. Further, the bots could be dynamically loaded via on-box applications (i.e. Internet Explorer, Firefox, etc.) You would need an off-box firewall to successfully block outbound SMTP connections. With most, if not all, rooted boxs there really is no safe way of securing it. Your best path forward is to (IMHO) buy an new harddrive and start from scratch, manually copying only known-good files to the new drive, preferably using an intermediate box to virus scan each moved file. Best wishes, -Jim P.
participants (2)
-
Jim Popovitch -
Nick Shank