Security Incidents mailing list archives
Re: E-Mail relay or break in? (fwd)
From: ryan () SECURITYFOCUS COM (Ryan Russell)
Date: Wed, 9 Feb 2000 21:01:11 -0800
---------- Forwarded message ---------- Date: Wed, 9 Feb 2000 12:01:37 -0500 From: Seth Georgion <sysadmin () sassproductions com> To: Ryan Russell <ryan () securityfocus com> Subject: RE: E-Mail relay or break in? Congratulations for the correct call. Here is an exceprt from a script someone else left on the web server that someone else executed. #$subject = 'This is a test mail'; #$message = 'This is a test message...did I get it'; It was a simple sockets script for sending E-Mail. Thanks, It was just some one screwing around and not an actual compromise. Seth -----Original Message----- From: Ryan Russell [mailto:ryan () securityfocus com] Sent: Wednesday, February 09, 2000 11:36 AM To: Seth Georgion Cc: INCIDENTS () SECURITYFOCUS COM Subject: Re: E-Mail relay or break in? On Tue, 8 Feb 2000, Seth Georgion wrote:
Mid-day today, while logged in to my exchange 5.5 server at the console, I recieved an E-Mail from myself to myself. Technically it was a "Just Testing" kind of message from my Administrator account to my SysAdmin account. Of course I never sent it and after further investigation I discovered that the E-Mail was most certainly sent by telnet and then subsequently, about a minute later, recieved by my copy of Outlook 2000. Before anyone gives me anything about "Did I read my logs?" The answer is yes and they indicate that the connection originated to and from my machine. Let me preface the main question with the statement that this server has been up for 30 hours and due to other crises around here has not had mail-relaying disabled yet. My first assumption was that someone was mail-relaying me and just forging the info but because I have a near paranoid interest in logging Exchange stuff I was suprised to see that it went beyond a simple forged E-Mail. My question is simply "Is this someone creating a telnet session and forging an E-Mail and tricking out Exchange or is this someone who has compromised my server and is now trying to gain control of some E-Mail?"
The log makes it look not hand-typed. Do you have any sort of script someone might have hit to generate such a mail? For example, some sort of CGI mail script someone is poking at for holes? Since the machine is named GATE, does it also have an external interface with a routable address? Ryan
Current thread:
- Re: E-Mail relay or break in? (fwd) Ryan Russell (Feb 09)