Tips for Windows Server 2003 Compromise

If your server is sending spam or compromised, here are a few tip.

First thing is to do a password audit, you can view these passwords in plain text in this file:

C:Program FilesParallelsPleskMail ServersMail EnableConfigAUTH.TAB

If some passwords in use are very weak they will eventually become compromised. Pay extra attention to common business type addresses like info@ sales@ contact@ as they are almost always the first to be brute forced. Also make sure that no password contains any words from the domain name.

Disable options that wallow spam to be relayed through your server in the form of backscatter: http://en.wikipedia.org/wiki/Backscatter_%28email%29

Specifically NDR’s – so your server is no longer sending bounces to spoofed email addresses. Also disable the notification that tells the remote sender when an inbox is full which can also be used to relay spam.

For the brute force you have a few options – one is to consider disabling the administrator account and setting up a brute policy to lock users after a set number of failed attempts. You could also change the port that RDP is using (http://support.microsoft.com/kb/306759) to something more obscure.

There are also software based utilities that can help however I’m not personally familiar with them I have seen them in use before on client machines.

RdpGuard: http://rdpguard.com/
Syspeace: http://www.syspeace.com/start/
EvlWatcher: http://nerderies.blogspot.com/
IPban: https://github.com/jjxtra/Windows-IP-Ban-Service/downloads

Leave a Comment