Printable View
Situation:
A new client of mine was hacked this weekend. Now their Exchange server is listening and responding to requests on port 1241.
Need:
I need to lock down this port so that is denies all requests. I want to do this from the Exchange server.
Does anyone know any tools or commands to lock down a specific port on a Win2000 machine?
Note: Nessus is not running on the server, and there are no unknown services running.
You need a firewall... a router or software - either way ports are opened on request and cannot be closed unless you have something to do it.
There is a PIX in there and it had all the ports closed other than 25, 80, 443, etc. The hacker came in through port 80 and ran a script on/through IIS that opened up FTP on the server and allowed FTP access via port 80. He then used FTP to run several apps on the server.
The end result: on every other Exchange server I service, when you run:
telnet xxx.xxx.xxx.xxx 1241
it returns a "Could not open a connection to host on port 1241 : Connect failed" message.
On this box that port is now open and accepting connections. I have shut off port 80 to prevent the hacker from exploiting OWA again. It seems that the IIS lockdown didn't stop him from coming right in.
It also appears that one of his goals was to open up the server for mail relay, he never got to finish since I unplugged the box when I got on site. I have no idea why 1241 was open or what his final goal was. I think that screwing with Exchange was just a smoke screen to distract me.