Educause Security Discussion mailing list archives

Re: <SPAM> Re: user account compromise?

From: Stephen John Smoogen <smooge () UNM EDU>
Date: Thu, 24 Apr 2008 15:21:09 -0600

Dick Jacobson wrote:

On Thu, 24 Apr 2008, Cal Frye wrote:

We also had one of the where the password was changed but the activity
retuurned.  Our email guru said the person must have maintained a
connection over the period of the password change - so check the
connections also - or the user simply changed their password back to the
original (even though they said they didn't).


What I have seen happen is that the bad-guy will immediately use the
password to get into any university resources and load up 'trojans' and
look for priveledge escalation etc as much as possible. So his laptop,
any central storage/email servers etc where the password can allow him
to execute programs will be tested to make sure they can stay in as long
as possible. Then they will start looking to see who else they can be by
monitoring network traffic etc to grab more passwords and get as many
'zombies' as they can for future bot-activities.

Barros, Jacob wrote:

Ken and all.  That was it.  He did reply to one of those phishing scams.
No more than 12 hours before the SPAM was launched.  Any non-internal
legal advice would be appreciated.


Be careful changing his password -- don't email it to him, as the
spammer may have set up forwarding and might receive a copy of the
notice ;-)

--
Regards,
-- Cal Frye, Network Administrator, Oberlin College

  www.calfrye.com,  www.pitalabs.com

"Reality is merely an illusion, albeit a very persistent one. " -
Albert Einstein (1879-1955)



-----------------------------------------------------------------------
Dick Jacobson            e-mail : Dick.Jacobson () ndus NoDak edu
NDUS IT Security Officer    office : IACC 206, NDSU
ND HECN MultiUser Host SysAd    phone  : 701-231-7385
-----------------------------------------------------------------------



--
Stephen Smoogen -- ITS/Linux Administrator
  MSC02 1520 1 University of New Mexico Albuquerque, NM  87131-0001
  Phone: (505) 277-8219  Email: smooge () unm edu
 How far that little candle throws his beams! So shines a good deed
 in a naughty world. = Shakespeare. "The Merchant of Venice"

Current thread:

<SPAM> Re: user account compromise? Stephen John Smoogen (Apr 24)
- <Possible follow-ups>
- <SPAM> Re: user account compromise? Cal Frye (Apr 24)
- Re: <SPAM> Re: user account compromise? Dick Jacobson (Apr 24)
- Re: <SPAM> Re: user account compromise? Stephen John Smoogen (Apr 24)
- <SPAM> RE: user account compromise? Jenkins, Matthew (Apr 24)
- <SPAM> Re: user account compromise? Paul Russell (Apr 24)