Educause Security Discussion mailing list archives
Re: <SPAM> Re: user account compromise?
From: Stephen John Smoogen <smooge () UNM EDU>
Date: Thu, 24 Apr 2008 15:21:09 -0600
Dick Jacobson wrote:
On Thu, 24 Apr 2008, Cal Frye wrote: We also had one of the where the password was changed but the activity retuurned. Our email guru said the person must have maintained a connection over the period of the password change - so check the connections also - or the user simply changed their password back to the original (even though they said they didn't).
What I have seen happen is that the bad-guy will immediately use the password to get into any university resources and load up 'trojans' and look for priveledge escalation etc as much as possible. So his laptop, any central storage/email servers etc where the password can allow him to execute programs will be tested to make sure they can stay in as long as possible. Then they will start looking to see who else they can be by monitoring network traffic etc to grab more passwords and get as many 'zombies' as they can for future bot-activities.
Barros, Jacob wrote:Ken and all. That was it. He did reply to one of those phishing scams. No more than 12 hours before the SPAM was launched. Any non-internal legal advice would be appreciated.Be careful changing his password -- don't email it to him, as the spammer may have set up forwarding and might receive a copy of the notice ;-) -- Regards, -- Cal Frye, Network Administrator, Oberlin College www.calfrye.com, www.pitalabs.com "Reality is merely an illusion, albeit a very persistent one. " - Albert Einstein (1879-1955)----------------------------------------------------------------------- Dick Jacobson e-mail : Dick.Jacobson () ndus NoDak edu NDUS IT Security Officer office : IACC 206, NDSU ND HECN MultiUser Host SysAd phone : 701-231-7385 -----------------------------------------------------------------------
-- Stephen Smoogen -- ITS/Linux Administrator MSC02 1520 1 University of New Mexico Albuquerque, NM 87131-0001 Phone: (505) 277-8219 Email: smooge () unm edu How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice"
Current thread:
- <SPAM> Re: user account compromise? Stephen John Smoogen (Apr 24)
- <Possible follow-ups>
- <SPAM> Re: user account compromise? Cal Frye (Apr 24)
- Re: <SPAM> Re: user account compromise? Dick Jacobson (Apr 24)
- Re: <SPAM> Re: user account compromise? Stephen John Smoogen (Apr 24)
- <SPAM> RE: user account compromise? Jenkins, Matthew (Apr 24)
- <SPAM> Re: user account compromise? Paul Russell (Apr 24)