Educause Security Discussion mailing list archives

Re: Help on Possible Web Mail Attack

From: Graham Toal <gtoal () UTPA EDU>
Date: Thu, 16 Jun 2005 08:43:06 -0500

Tim Lane wrote:

Hi All,

I have a query regarding a possible hack on our new Sun Web mail
system. Is anyone able to help with a query. We have just gone live
for POP web mail and have noticed one of our test web mail accounts
appears to have been compromised or hi-jacked, by multiple timeouts
whereby another IP address was reported as using the session.

Is the below log report just reflective of a seemingly innocuous web
bot of some type, or perhaps a hacker hiding behind Google range...???

[16/Jun/2005:10:11:01 +1000] boson httpd[8402]: General Warning:
ipsecurity
- client 10.133.25.9 attempted to use session 6FmTS7qLDiU belonging to
64.233.172.2

The 64.233 address actually resolves back to Google........



yes but that is not the interesting address.  The "10." address is in
private IP space
and cannot be routed over the net.  So it is unlikely to be a hacker and
more likely
to be some router or NAT misconfiguration?

Have you tcpdumped the session content yet to see what is happening?

G

Current thread:

Help on Possible Web Mail Attack Tim Lane (Jun 15)
- <Possible follow-ups>
- Re: Help on Possible Web Mail Attack stanislav shalunov (Jun 16)
- Re: Help on Possible Web Mail Attack Graham Toal (Jun 16)
- Re: Help on Possible Web Mail Attack Tim Lane (Jun 16)