Educause Security Discussion mailing list archives
Re: Help on Possible Web Mail Attack
From: Graham Toal <gtoal () UTPA EDU>
Date: Thu, 16 Jun 2005 08:43:06 -0500
Tim Lane wrote:
Hi All, I have a query regarding a possible hack on our new Sun Web mail system. Is anyone able to help with a query. We have just gone live for POP web mail and have noticed one of our test web mail accounts appears to have been compromised or hi-jacked, by multiple timeouts whereby another IP address was reported as using the session. Is the below log report just reflective of a seemingly innocuous web bot of some type, or perhaps a hacker hiding behind Google range...??? [16/Jun/2005:10:11:01 +1000] boson httpd[8402]: General Warning: ipsecurity - client 10.133.25.9 attempted to use session 6FmTS7qLDiU belonging to 64.233.172.2 The 64.233 address actually resolves back to Google........
yes but that is not the interesting address. The "10." address is in private IP space and cannot be routed over the net. So it is unlikely to be a hacker and more likely to be some router or NAT misconfiguration? Have you tcpdumped the session content yet to see what is happening? G
Current thread:
- Help on Possible Web Mail Attack Tim Lane (Jun 15)
- <Possible follow-ups>
- Re: Help on Possible Web Mail Attack stanislav shalunov (Jun 16)
- Re: Help on Possible Web Mail Attack Graham Toal (Jun 16)
- Re: Help on Possible Web Mail Attack Tim Lane (Jun 16)