[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] How can they do this and how to stop it???

Subject: [cobalt-security] How can they do this and how to stop it???
From: "Render-Vue" <sales@xxxxxxxxxxxxxx>
Date: Sat, 8 Sep 2001 21:01:23 +1200
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Yah Support,

Okay with shell/telnet off, No SMTP Relaying and Pop authentication before
SMTP the following was picked up in the mail log files this afternoon...I've
only shown some of the log as this activity lasted a few hours...

Sep  7 17:17:08 ns sendmail[30573]: RAA30573: Authentication-Warning:
ns.xxxxxxxxxxxxxxxxxxx.com: colour set sender to sdjkfk@xxxxxxx using -f
Sep  7 17:17:08 ns sendmail[30573]: RAA30573: from=sdjkfk@xxxxxxx, size=390,
class=0, pri=30390, nrcpts=1,
msgid=<200109072317.RAA30573@xxxxxxxxxxxxxxxxxxxxxxxxxx>,
relay=colour@localhost
Sep  7 17:17:08 ns sendmail[30575]: RAA30573: to=willywonka252@xxxxxxx,
ctladdr=sdjkfk@xxxxxxx (232/100), delay=00:00:00, xdelay=00:00:00,
mailer=esmtp, relay=mailin-02.mx.aol.com. [205.188.156.154], stat=Sent (OK)
Sep  7 17:38:01 ns sendmail[31488]: RAA31488: Authentication-Warning:
ns.xxxxxxxxxxxxxxxxxxx.com: colour set sender to khuuhnkj@xxxxxxx using -f
Sep  7 17:38:01 ns sendmail[31488]: RAA31488: from=khuuhnkj@xxxxxxx,
size=1188, class=0, pri=151188, nrcpts=5,
msgid=<200109072338.RAA31488@xxxxxxxxxxxxxxxxxxxxxxxxxx>,
relay=colour@localhost
Sep  7 17:38:03 ns sendmail[31490]: RAA31488:
to=babs32650@xxxxxxx,babieme16@xxxxxxx,beccer1117@xxxxxxx,bigcow7533@xxxxxxx
,epplerm@xxxxxxx, ctladdr=khuuhnkj@xxxxxxx (232/100), delay=00:00:02,
xdelay=00:00:02, mailer=esmtp, relay=mailin-03.mx.aol.com. [64.12.136.153],
stat=Sent (OK)
Sep  7 17:38:56 ns sendmail[31530]: RAA31530: Authentication-Warning:
ns.xxxxxxxxxxxxxxxxxxx.com: colour set sender to jbgovunc@xxxxxxx using -f
Sep  7 17:38:56 ns sendmail[31530]: RAA31530: from=jbgovunc@xxxxxxx,
size=1174, class=0, pri=151174, nrcpts=5,
msgid=<200109072338.RAA31530@xxxxxxxxxxxxxxxxxxxxxxxxxx>,
relay=colour@localhost
Sep  7 17:38:57 ns sendmail[31532]: RAA31530:
to=ahandly23@xxxxxxx,patachou@xxxxxxx,althrtl547@xxxxxxx,faroah2g@xxxxxxx,ba
dacebritta@xxxxxxx, ctladdr=jbgovunc@xxxxxxx (232/100), delay=00:00:01,
xdelay=00:00:01, mailer=esmtp, relay=mailin-03.mx.aol.com. [64.12.136.153],
stat=Sent (OK)
Sep  7 17:45:40 ns sendmail[31800]: RAA31800: Authentication-Warning:
ns.xxxxxxxxxxxxxxxxxxx.com: colour set sender to hugjdkbv@xxxxxxx using -f
Sep  7 17:45:40 ns sendmail[31800]: RAA31800: from=hugjdkbv@xxxxxxx,
size=1200, class=0, pri=151200, nrcpts=5,
msgid=<200109072345.RAA31800@xxxxxxxxxxxxxxxxxxxxxxxxxx>,
relay=colour@localhost
Sep  7 17:45:40 ns sendmail[31802]: RAA31800:
to=accesscode420@xxxxxxx,beth7769@xxxxxxx,me4dancin@xxxxxxx,apprich@xxxxxxx,
kings0855@xxxxxxx, ctladdr=hugjdkbv@xxxxxxx (232/100), delay=00:00:00,
xdelay=00:00:00, mailer=esmtp, relay=mailin-01.mx.aol.com. [205.188.157.25],
stat=Sent (OK)
Sep  7 17:46:48 ns sendmail[31862]: RAA31862: Authentication-Warning:
ns.xxxxxxxxxxxxxxxxxxx.com: colour set sender to khnmserk@xxxxxxx using -f
Sep  7 17:46:48 ns sendmail[31862]: RAA31862: from=khnmserk@xxxxxxx,
size=1191, class=0, pri=151191, nrcpts=5,
msgid=<200109072346.RAA31862@xxxxxxxxxxxxxxxxxxxxxxxxxx>,
relay=colour@localhost
Sep  7 17:46:51 ns sendmail[31864]: RAA31862:
to=mirassiran@xxxxxxx,begme2stop@xxxxxxx,airandrey@xxxxxxx,bobbow64@xxxxxxx,
ep26@xxxxxxx, ctladdr=khnmserk@xxxxxxx (232/100), delay=00:00:03,
xdelay=00:00:03, mailer=esmtp, relay=mailin-03.mx.aol.com. [64.12.136.153],
stat=Sent (OK)

Now we know the user (colour) personally and we designed the site so there's
no problems there, what I think has happened is that they some how have
hacked the username to the account and using the forward switch have relayed
mail out like that. I'm no expert and I am totally new to Linux/Cobalts but
we have tightened everything up as recommended by the providers of the
server, by recommendations made here by people far more knowledgeble the
liitle old me.

Can someone tell me if I'm right, has there been a hack into the server and
how can I prevent this from happening again.

As soon as I spotted this the user was deleted and another added using
different name and password - this seems to have stopped the flood of mail
being sent out. All the latest Cobalt Patches are in place.

Many thanks in advance and I look forward to your suggestions/comments

Regards from Auckland

Chae

Follow-Ups:
- Re: [cobalt-security] How can they do this and how to stop it???
  - From: Michael Stauber

Prev by Date: Re: [cobalt-security] MySql version for cobalt raQ4r
Next by Date: Re: [cobalt-security] How can they do this and how to stop it???
Previous by thread: [cobalt-security] Help - Securing a Qube2
Next by thread: Re: [cobalt-security] How can they do this and how to stop it???

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index