0

it looks someone or something is trying to hack our Exchange.

Exchange Server Transport Protocol Logs:

enter image description here

it appears the internet facing IP on the firewall has not been locked down correctly, so is open to all internet traffic (the network team will double check it).

It looks to me that someone is running an smtp-auth attack against us, correct ?

I don't understand why after the Auth Login command i see the 334 and not the Base64 encoded user and password ?

I'm fairly new to security.

Any help i highly appreciated.

Best Regards

Adam

cyzczy
  • 1,518
  • 5
  • 21
  • 34

1 Answers1

1

It looks to me that someone is running an smtp-auth attack against us, correct ?

What you see in the logs is a failed login attempt. You might have to find out yourself, if that came from one of your employees or a possible attacker.

I don't understand why after the Auth Login command i see the 334 and not the Base64 encoded user and password ?

The code 334 just indicates that a response is following. Your server did intentionally exclude credentials from the log file. That is a common practice as explained here. Just imagine a hacker would access the logs and find all your employees' failed login attempts along with their passwords being only slightly mistyped.

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • Thank you @Arminius for you response ! "Your server did intentionally exclude credentials from the log file." Do I have to enable it first or it is already implemented as a best practice feature ? Also, would you say that our Exchange is likely being attacked ? – cyzczy Jan 12 '16 at 11:38
  • @adamv6 I think Exchange does this by default. – Arminius Jan 12 '16 at 11:41
  • I was just wondering, because even though our Exchange Server needs to be protected I cannot disconnect it competently, I mean certain ports have to be opened, right. The failed attempts, isn't something "normal" to see ? It looks for me that maybe spammers try to authenticate to relay mails through our mail server ? But they try to authenticate with user like, editor, root, postfix, those are certainly non Exchange / AD users, so how can they assume that they will authenticate anyway ? – cyzczy Jan 14 '16 at 14:43
  • I think you're right that these failed attempts probably come from spam bots. They just try random/default credentials and common passwords against a wider IP range and hope to be lucky somewhere. This will not necessarily make sense in the logs. I don't have further experience with Exchange to give specific advice on which additional measures you could take against these attacks. – Arminius Jan 14 '16 at 15:52