Security Incidents mailing list archives
Re: E-Mail relay or break in?
From: ryan () SECURITYFOCUS COM (Ryan Russell)
Date: Wed, 9 Feb 2000 08:35:40 -0800
On Tue, 8 Feb 2000, Seth Georgion wrote:
Mid-day today, while logged in to my exchange 5.5 server at the console, I recieved an E-Mail from myself to myself. Technically it was a "Just Testing" kind of message from my Administrator account to my SysAdmin account. Of course I never sent it and after further investigation I discovered that the E-Mail was most certainly sent by telnet and then subsequently, about a minute later, recieved by my copy of Outlook 2000. Before anyone gives me anything about "Did I read my logs?" The answer is yes and they indicate that the connection originated to and from my machine. Let me preface the main question with the statement that this server has been up for 30 hours and due to other crises around here has not had mail-relaying disabled yet. My first assumption was that someone was mail-relaying me and just forging the info but because I have a near paranoid interest in logging Exchange stuff I was suprised to see that it went beyond a simple forged E-Mail. My question is simply "Is this someone creating a telnet session and forging an E-Mail and tricking out Exchange or is this someone who has compromised my server and is now trying to gain control of some E-Mail?"
The log makes it look not hand-typed. Do you have any sort of script someone might have hit to generate such a mail? For example, some sort of CGI mail script someone is poking at for holes? Since the machine is named GATE, does it also have an external interface with a routable address? Ryan
Current thread:
- Re: Strange traceroute, (continued)
- Re: Strange traceroute CyberPsychotic (Feb 05)
- Re: Strange traceroute Dragos Ruiu (Feb 07)
- Private networks and home.{net|com} Etaoin Shrdlu (Feb 07)
- Strange ping reply packets Artur Nowak (Feb 08)
- Re: Private networks and home.{net|com} Bruce A. Mah (Feb 08)
- Re: Private networks and home.{net|com} Dragos Ruiu (Feb 09)
- E-Mail relay or break in? Seth Georgion (Feb 08)
- Re: E-Mail relay or break in? JJ Gray (Feb 09)
- Re: E-Mail relay or break in? Graeme (Feb 09)
- Re: E-Mail relay or break in? Nathan Nichols (Feb 09)
- Re: Strange traceroute CyberPsychotic (Feb 05)
- Re: E-Mail relay or break in? Ryan Russell (Feb 09)
- Recent DDoS Bino Gopal (Feb 08)
- Re: Recent DDoS Qmail Admin (Feb 09)
- Port 34545 jimwebb () EASYSTREET COM (Feb 09)
- Re: Recent DDoS MMS26 (Feb 09)
- Re: Recent DDoS Vanja Hrustic (Feb 09)
- Re: Recent DDoS (was Ping flood? Whats the point?) Kerry Baker (Feb 09)
- Re: Recent DDoS (was Ping flood? Whats the point?) Eivind Eklund (Feb 11)
- SSH2 Exploit? Jonathan A. Zdziarski (Feb 09)
- Re: SSH2 Exploit? Alexander Kiwerski (Feb 10)
- Re: SSH2 Exploit? Richard Trott (Feb 10)