Security Incidents mailing list archives
E-Mail relay or break in?
From: sysadmin () SASSPRODUCTIONS COM (Seth Georgion)
Date: Tue, 8 Feb 2000 21:56:01 -0500
Mid-day today, while logged in to my exchange 5.5 server at the console, I recieved an E-Mail from myself to myself. Technically it was a "Just Testing" kind of message from my Administrator account to my SysAdmin account. Of course I never sent it and after further investigation I discovered that the E-Mail was most certainly sent by telnet and then subsequently, about a minute later, recieved by my copy of Outlook 2000. Before anyone gives me anything about "Did I read my logs?" The answer is yes and they indicate that the connection originated to and from my machine. Let me preface the main question with the statement that this server has been up for 30 hours and due to other crises around here has not had mail-relaying disabled yet. My first assumption was that someone was mail-relaying me and just forging the info but because I have a near paranoid interest in logging Exchange stuff I was suprised to see that it went beyond a simple forged E-Mail. My question is simply "Is this someone creating a telnet session and forging an E-Mail and tricking out Exchange or is this someone who has compromised my server and is now trying to gain control of some E-Mail?" Here's relevent logs. Note: GATE is the name of the server, the ip address, 192.168.1.254 is internatl because we use NAT pools. Here are two Event Logs for it SMTP connection to Exchange from the Exchange server itself Date: 2/8/00 Event ID: 2000 Time: 3:14:42 PM Source: MSExchangeIMC User: N/A Type:None Computer: GATE Category: SMTP Interface Events Description: A new TCP?IP SMTP connectio has been recieved from host GATE Logfile: L00000000.LOG This is the Message transfer and description file. Date: Above Event ID: 2002 Time: 3:14:43 PM Source: Above User: N/A Type: Information CComputer: GATE Category: Message Transfer Description A Message from <administrator () sassproductions com> in temporary folder \imcdata\in\1QHMKPJ7 was recieved from GATE with 1 local recipients. Here's the E-Mail as stored in imcdata. â ImCr 0 :Gr¿ GATE GATE <Administrator () sassproductions com> c=US;a= ;p=SASS Productions;l=GATE00020820141QHMKPJ7 O ASS 8 8 <sysadmin () sassproductions com> known EwLsReceived: from GATE ([192.168.1.254]) by gate.sassproductions with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 1QHMKPJ7; Tue, 8 Feb 2000 15:14:43 -0500 From: Administrator () sassproductions com To: sysadmin () sassproductions com Subject: This is a test mail This is a test message...did I get it And here is the log of what the person typed in word for word. 2/8/00 3:14:42 PM : A connection was accepted from GATE. 2/8/00 3:14:42 PM : <<< IO: |HELO | 2/8/00 3:14:42 PM : <<< HELO 2/8/00 3:14:43 PM : >>> 250 OK 2/8/00 3:14:43 PM : <<< IO: |MAIL FROM:<Administrator () sassproductions com> | 2/8/00 3:14:43 PM : <<< MAIL FROM:<Administrator () sassproductions com> 2/8/00 3:14:43 PM : >>> 250 OK - mail from <Administrator () sassproductions com> 2/8/00 3:14:43 PM : <<< IO: |RCPT TO:<sysadmin () sassproductions com> | 2/8/00 3:14:43 PM : <<< RCPT TO:<sysadmin () sassproductions com> 2/8/00 3:14:43 PM : >>> 250 OK - Recipient <sysadmin () sassproductions com> 2/8/00 3:14:43 PM : <<< IO: |DATA | 2/8/00 3:14:43 PM : <<< DATA 2/8/00 3:14:43 PM : >>> 354 Send data. End with CRLF.CRLF 2/8/00 3:14:43 PM : <<< IO: |From: Administrator () sassproductions com To: sysadmin () sassproductions com Subject: This is a test mail This is a test message...did I get it . | 2/8/00 3:14:43 PM : >>> 250 OK 2/8/00 3:14:43 PM : <<< IO: |QUIT | 2/8/00 3:14:43 PM : <<< QUIT 2/8/00 3:14:43 PM : >>> 221 closing connection So what is it? Locally originated or jst a very clever disguise attempt? Well not just an attempt... ;)
Current thread:
- Re: Strange traceroute, (continued)
- Re: Strange traceroute Alexandr Kovalenko (Feb 03)
- Re: Strange traceroute Mixter (Feb 08)
- Re: Strange traceroute Jacobs, Guy Edward (Feb 03)
- Re: Strange traceroute RB (Feb 03)
- Re: Strange traceroute CyberPsychotic (Feb 05)
- Re: Strange traceroute Dragos Ruiu (Feb 07)
- Private networks and home.{net|com} Etaoin Shrdlu (Feb 07)
- Strange ping reply packets Artur Nowak (Feb 08)
- Re: Private networks and home.{net|com} Bruce A. Mah (Feb 08)
- Re: Private networks and home.{net|com} Dragos Ruiu (Feb 09)
- E-Mail relay or break in? Seth Georgion (Feb 08)
- Re: E-Mail relay or break in? JJ Gray (Feb 09)
- Re: E-Mail relay or break in? Graeme (Feb 09)
- Re: E-Mail relay or break in? Nathan Nichols (Feb 09)
- Re: Strange traceroute CyberPsychotic (Feb 05)
- Re: E-Mail relay or break in? Ryan Russell (Feb 09)
- Recent DDoS Bino Gopal (Feb 08)
- Re: Recent DDoS Qmail Admin (Feb 09)
- Port 34545 jimwebb () EASYSTREET COM (Feb 09)
- Re: Recent DDoS MMS26 (Feb 09)
- Re: Recent DDoS Vanja Hrustic (Feb 09)
- Re: Recent DDoS (was Ping flood? Whats the point?) Kerry Baker (Feb 09)