Jump to content

Recommended Posts

We have a handful of mail servers at a data centre that have SmarterMail installed on them. Each server is separate from each other and on their own segregated network/firewall.

I installed Malwarebytes on one of them yesterday and was immediately presented with constant "Website blocked due to compromise" Port 25 and File: MailService.exe. This is constant and happening with different IPs every few seconds.

I've looked up a handful of these IPs on VirusTotal and they're all known malicious IPs. I've now installed Malwarebytes on another two mail servers and we're getting the same on them too, constant RTP detections, there are thousands and all different IPs.

I've seen port 587 pop up on a few occasions too and also port 80 and 443 but this is rare. Some screenshots below.

image.png.641a2ec01b2859c20a59951975aec28b.pngimage.png.78e27385756468803de55f3db5f9e667.png

Link to post
Share on other sites

  • Root Admin

Hello  and  :welcome:      @ColBod

 

These are INBOUND IP blocks. Malwarebytes is doing it's job to protect the system from remote probing. Normally these type of blocks will go away on their own within a few days.

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow all steps in the provided order and post back all requested logs
  • Please attach all log files to your post, unless otherwise requested
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
  • Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
  • Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
  • Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim. Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. If there are any on the system you should uninstall them before we proceed.
  • Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
  • If your system is running Discord, please be sure to Exit it while this case is ongoing.

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting. This is a report only.

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

  • Root Admin

I have replied to your PM.

The system appears to be using port 25 for some type of mail services, I assume the one you say in your message above

Please work with the vendor and see how you can change that. Anytime you have an open port, anyone can probe it and try to see if they can attempt unauthorized access.

Change the port to something else and if possible block port 25 with your firewall

Thanks

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

  • Root Admin

Unfortunately this really is a security issue for mail servers. Below is a brief article with some ideas, but how to setup or manage this is beyond the scope of our services on the forums.

https://documentation.solarwindsmsp.com/spamexperts/documentation/qsg/lc/Content/se/lc/out-port-25-filter.htm

 

Link to post
Share on other sites

  • Root Admin

Securing a mail server is a complex task. I've not had to do so myself now for many years so I don't have any good current documentation to assist you.

This is generic advice. Do not download anything

https://www.thesslstore.com/blog/10-email-server-security-best-practices-to-secure-your-email-server/

 

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.