Educause Security Discussion mailing list archives

Help on Possible Web Mail Attack

From: Tim Lane <tlane () SCU EDU AU>
Date: Thu, 16 Jun 2005 16:40:20 +1000

Hi All,

I have a query regarding a possible hack on our new Sun Web mail system. Is
anyone able to help with a query. We have just gone live for POP web mail
and have noticed one of our test web mail accounts appears to have been
compromised or hi-jacked, by multiple timeouts whereby another IP address
was reported as using the session.

Is the below log report just reflective of a seemingly innocuous web bot of
some type, or perhaps a hacker hiding behind Google range...???

[16/Jun/2005:10:11:01 +1000] boson httpd[8402]: General Warning: ipsecurity
- client 10.133.25.9 attempted to use session 6FmTS7qLDiU belonging to
64.233.172.2

The 64.233 address actually resolves back to Google........

We are running Sun Java Enterprise System 2.0 with UWC multiplexes deployed
at the front of the firewall talking back to the email back end behind the
firewall.
Our main questions are:

Any other ideas, hints, suggestions or fixes etc etc would be very appreciated.

Thanks,

Tim Lane


Tim Lane
Information Security Program Manager

Information Technology and Telecommunication Services
Southern Cross University
PO Box 157 Lismore NSW 2480

(02 6620 3290    7   02 6620 3033    - tlane () scu edu au
8 http://www.scu.edu.au

Current thread:

Help on Possible Web Mail Attack Tim Lane (Jun 15)
- <Possible follow-ups>
- Re: Help on Possible Web Mail Attack stanislav shalunov (Jun 16)
- Re: Help on Possible Web Mail Attack Graham Toal (Jun 16)
- Re: Help on Possible Web Mail Attack Tim Lane (Jun 16)