HPE Community
Operating System - HP-UX
1755349 Members
5730 Online
108831 Solutions
New Discussion юеВ

compromised somehow

 
Fred Martin_1
Valued Contributor

тАО09-05-2003 06:11 AM

тАО09-05-2003 06:11 AM

compromised somehow

I created a new unix account specifically as a test. It does not exist on any of my NT servers.

No one knows it exists but me. It's never been used as a login. It has though, after a few weeks, started collecting SPAM email from the internet.

No one except three admins have access to unix. My PC users use pop/smtp for mail here, but as I said they are unaware of the account. None of them have it in any PC client address books. I do not believe the name has been harvested in this way.

We do not run Exchange here; the sendmail server is alone.

sendmail is set up not to relay. I have the security option set in sendmail that disallows VRFY and those types of queries.

Yet somehow, this email account has been discovered.

Can we discuss the possibilities? I really need to find this as we have obviously been compromised in some way.
fmartin@applicatorssales.com
0 Kudos
Reply
8 REPLIES 8
Steven E. Protter
Exalted Contributor

тАО09-05-2003 06:21 AM

тАО09-05-2003 06:21 AM

Re: compromised somehow

If the email account name is guessable, it merely could have been guessed.

All a spammer would need is a copy of /etc/passwd to be able to spam any account on your system.

A who output from any user is enough if they know the domain name.

Recommendations:

1) Make sure all sendmail security patches are installed.
2) Check permissions on all the files in /etc/mail
3) Consider installation of IDS/9000 because
there seems to have been a penetration of your system.

4) Review /etc/inetd.conf and take any steps necessary to disable finger
5) Consider the possibility of installing Bastille.

6) Review your lastb /var/adm/syslog/btmp for possible intrustions.
7) Implement /etc/mail/access spam blocking. Block entire 255 ip address blocks once spam comes in. It really slows down the spammers.
8) Consider having a security audit.
9) Visually Check your firewall logs and mail log for problems.

The software mentioned is free at http://software.hp.com The site is too slow for me to paste in links.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Massimo Bianchi
Honored Contributor

тАО09-05-2003 06:21 AM

тАО09-05-2003 06:21 AM

Re: compromised somehow

Hi,
first thing i will check your PC.

I think that you can have used this account for sending something to you, and a spybot grabbed the e-mail.

Check with and antivirus, and with

spybot (search for in in download.cnet.com), i use it daily, an update it regulary!

Massimo

0 Kudos
Reply
Kent Ostby
Honored Contributor

тАО09-05-2003 06:26 AM

тАО09-05-2003 06:26 AM

Re: compromised somehow

Well, I dont know a ton of stuff about this, but I would say that they got the address one of three ways:

1) Through a web site

2) Through email somehow

3) Pure dumb luck

Some ideas about each of these

1) have you logged into this test account and posted anything to the web from there or even gone out and hit web sites using this login ?

2) Has this test address been put into anyones email address book or onto any internal email lists ?

3) Is this a "usual" login name like admin or something might be guessable or is it something unique.

ALso, do other addresses on this machine get a lot of spam ?

Those are the "obvious" things taht I can think of that might get your address out there.

Best regards,

Kent M. Ostby
"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
0 Kudos
Reply
Fred Martin_1
Valued Contributor

тАО09-05-2003 06:32 AM

тАО09-05-2003 06:32 AM

Re: compromised somehow

The account name is not a guess-able name. Never been logged into, never even been used. Just created the account in SAM, didn't tell anybody. Not in any aliases. That's it.
fmartin@applicatorssales.com
0 Kudos
Reply
Martin Johnson
Honored Contributor

тАО09-05-2003 06:38 AM

тАО09-05-2003 06:38 AM

Re: compromised somehow

Looks like someone got a copy of your /etc/passwd file. Are any of the other accounts getting SPAM? If not, it may be an inside job directed at you.

HTH
Marty
0 Kudos
Reply
Brian Bergstrand
Honored Contributor

тАО09-05-2003 06:46 AM

тАО09-05-2003 06:46 AM

Re: compromised somehow

More than likely, some spammer got lucky with a script that generates names. There is no need for anyone to compromise your system. All they have to do is know your domain name and from there they basically send to *@domian.com. The spam generators can do this easily and there is no work on the spammers part, it is all automatic.

Think of it like a dictionary attack. They don't know your passwords, but by generating a huge number of brute force attacks it is likely they will get lucky. In the case of spam though they don't even need a local file (/etc/passwd) to succeed.

HTH.
0 Kudos
Reply
Fred Martin_1
Valued Contributor

тАО09-05-2003 07:00 AM

тАО09-05-2003 07:00 AM

Re: compromised somehow

Yeah the only two things I can come up with, is that someone on the outside got VPN access through a valid admin account, or that someone has accessed sendmail in a way that I don't understand to get a user list.

Or it's an inside thing; it would have to be an admin - others are taken to a database with no access to the OS. But maybe one of them blasted the passwd file into a PC to create an Outlook Express address book, or something.

That last one seems remote to me, since there's only a couple of them and they'd have to be -regularly- doing this. But I'll look into it.
fmartin@applicatorssales.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО09-05-2003 07:26 AM

тАО09-05-2003 07:26 AM

Re: compromised somehow

I suppose if you fired up X Windows with this new user and browsed the Internet with valid settings in the broswer, a spammer could get it.

But you'd know if you did that.

Note that 65% of security compromises come from the inside. Who has telnet access and can run who command or finger.

Also obviously, if you used elm or a sendmail script or mailx as that user and it even travelled outsidee your network, someone could have gotten it off the mail logs. I have seen yahoo, hotmail and other maillogs for sail on the Internet. I've received spam offering me such items. Quite disgusting that these large providers can't keep their systems secure.

The access implementation really cuts down on spam. I'm down from 75 a week to 3-5 in spite of the fact that my email address is posted multiple times in itrc.

If I didn't already send it to you I can make my access file and scripts available.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.