Is our server backdoored?
#11
(05-11-2016, 04:08 AM)MuddyBucket Wrote:
(05-11-2016, 02:54 AM)Freerunning Wrote: I was wondering how come he got my email address as the sender? My co-workers received the same email to and the sender was their own email address.

If i had to guess... I would say that setting the sender to your own email is some sort of an attempt to bypass any blacklists or get through on a whitelist (ie fool the spam detector). It may also make you more inclined to open it? maybe? I don't know. People see an email from themselves and they want to know what it says/who sent it?

but i don't know how they got your address then. It could be that someones email account was hacked and they had emails in their address book. might even have been one of the people who works at the company.  but just because one employee had their system compromised does not mean that the server or other users have been (yet). but then again if the server has been blacklisted on spam lists for spamming then maybe they do already have access to the server. or they were using the compromised email account above to send more spam.

Thank you so much sir for a detailed answer. I hope they will give me an access to the server ASAP so I can check it. Our company doesn't even get bothered without a System/DB admin.
Reply
#12
I'm in the business of pwning people not helping people get unpwnd and I don't mean to be a dick but you can tell management it's their own fault for using Windows server and not hiring security professionals or implementing proper security themselves. But since you asked. If you have any backups, i'd transfer the site to another server temporarily while you reinstall the old one and use a proper OS this time just to be sure, you really haven't provided much information to suggest another approach anyway. I'd run some common vulnerability checks before going live. Intercepting proxies and fuzzers are easy enough to use. Keep your mail server and such offline for now and run any critical services that need remote access over SSH. When you've patched the most dire vulnerabilities after fuzzing and checking the results you contact a security company or professional to give you the run down on proper sec. After which you can take your second server offline and live happily ever after.
Reply
#13
You might also wanna take a closer look at your log files for suspicious activities
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  why won't it let me copy tftp into flash from CISCO router to server? QMark 1 2,456 06-01-2020, 07:54 PM
Last Post: Insider
  Information Gathering: Finding Server IP Insider 2 5,120 04-20-2016, 08:31 PM
Last Post: Insider