- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: compromised somehow
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2003 06:11 AM
тАО09-05-2003 06:11 AM
compromised somehow
No one knows it exists but me. It's never been used as a login. It has though, after a few weeks, started collecting SPAM email from the internet.
No one except three admins have access to unix. My PC users use pop/smtp for mail here, but as I said they are unaware of the account. None of them have it in any PC client address books. I do not believe the name has been harvested in this way.
We do not run Exchange here; the sendmail server is alone.
sendmail is set up not to relay. I have the security option set in sendmail that disallows VRFY and those types of queries.
Yet somehow, this email account has been discovered.
Can we discuss the possibilities? I really need to find this as we have obviously been compromised in some way.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2003 06:21 AM
тАО09-05-2003 06:21 AM
Re: compromised somehow
All a spammer would need is a copy of /etc/passwd to be able to spam any account on your system.
A who output from any user is enough if they know the domain name.
Recommendations:
1) Make sure all sendmail security patches are installed.
2) Check permissions on all the files in /etc/mail
3) Consider installation of IDS/9000 because
there seems to have been a penetration of your system.
4) Review /etc/inetd.conf and take any steps necessary to disable finger
5) Consider the possibility of installing Bastille.
6) Review your lastb /var/adm/syslog/btmp for possible intrustions.
7) Implement /etc/mail/access spam blocking. Block entire 255 ip address blocks once spam comes in. It really slows down the spammers.
8) Consider having a security audit.
9) Visually Check your firewall logs and mail log for problems.
The software mentioned is free at http://software.hp.com The site is too slow for me to paste in links.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2003 06:21 AM
тАО09-05-2003 06:21 AM
Re: compromised somehow
first thing i will check your PC.
I think that you can have used this account for sending something to you, and a spybot grabbed the e-mail.
Check with and antivirus, and with
spybot (search for in in download.cnet.com), i use it daily, an update it regulary!
Massimo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2003 06:26 AM
тАО09-05-2003 06:26 AM
Re: compromised somehow
1) Through a web site
2) Through email somehow
3) Pure dumb luck
Some ideas about each of these
1) have you logged into this test account and posted anything to the web from there or even gone out and hit web sites using this login ?
2) Has this test address been put into anyones email address book or onto any internal email lists ?
3) Is this a "usual" login name like admin or something might be guessable or is it something unique.
ALso, do other addresses on this machine get a lot of spam ?
Those are the "obvious" things taht I can think of that might get your address out there.
Best regards,
Kent M. Ostby
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2003 06:32 AM
тАО09-05-2003 06:32 AM
Re: compromised somehow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2003 06:38 AM
тАО09-05-2003 06:38 AM
Re: compromised somehow
HTH
Marty
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2003 06:46 AM
тАО09-05-2003 06:46 AM
Re: compromised somehow
Think of it like a dictionary attack. They don't know your passwords, but by generating a huge number of brute force attacks it is likely they will get lucky. In the case of spam though they don't even need a local file (/etc/passwd) to succeed.
HTH.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2003 07:00 AM
тАО09-05-2003 07:00 AM
Re: compromised somehow
Or it's an inside thing; it would have to be an admin - others are taken to a database with no access to the OS. But maybe one of them blasted the passwd file into a PC to create an Outlook Express address book, or something.
That last one seems remote to me, since there's only a couple of them and they'd have to be -regularly- doing this. But I'll look into it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2003 07:26 AM
тАО09-05-2003 07:26 AM
Re: compromised somehow
But you'd know if you did that.
Note that 65% of security compromises come from the inside. Who has telnet access and can run who command or finger.
Also obviously, if you used elm or a sendmail script or mailx as that user and it even travelled outsidee your network, someone could have gotten it off the mail logs. I have seen yahoo, hotmail and other maillogs for sail on the Internet. I've received spam offering me such items. Quite disgusting that these large providers can't keep their systems secure.
The access implementation really cuts down on spam. I'm down from 75 a week to 3-5 in spite of the fact that my email address is posted multiple times in itrc.
If I didn't already send it to you I can make my access file and scripts available.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com