Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: E-Mail relay or break in? (fwd)

From: ryan () SECURITYFOCUS COM (Ryan Russell)
Date: Wed, 9 Feb 2000 21:01:11 -0800

---------- Forwarded message ----------
Date: Wed, 9 Feb 2000 12:01:37 -0500
From: Seth Georgion <sysadmin () sassproductions com>
To: Ryan Russell <ryan () securityfocus com>
Subject: RE: E-Mail relay or break in?

Congratulations for the correct call. Here is an exceprt from a script someone else left on the web server that someone 
else executed.

#$subject = 'This is a test mail';
#$message = 'This is a test message...did I get it';

It was a simple sockets script for sending E-Mail.

Thanks, It was just some one screwing around and not an actual compromise.

Seth

-----Original Message-----
From: Ryan Russell [mailto:ryan () securityfocus com]
Sent: Wednesday, February 09, 2000 11:36 AM
To: Seth Georgion
Cc: INCIDENTS () SECURITYFOCUS COM
Subject: Re: E-Mail relay or break in?

On Tue, 8 Feb 2000, Seth Georgion wrote:


Mid-day today, while logged in to my exchange 5.5 server at the console, I recieved an E-Mail from myself to myself. 
Technically it was a "Just Testing" kind of message from my Administrator account to my SysAdmin account. Of course I 
never sent it and after further investigation I discovered that the E-Mail was most certainly sent by telnet and then 
subsequently, about a minute later, recieved by my copy of Outlook 2000. Before anyone gives me anything about "Did I 
read my logs?" The answer is yes and they indicate that the connection originated to and from my machine. Let me 
preface the main question with the statement that this server has been up for 30 hours and due to other crises around 
here has not had mail-relaying disabled yet. My first assumption was that someone was mail-relaying me and just 
forging the info but because I have a near paranoid interest in logging Exchange stuff I was suprised to see that it 
went beyond a simple forged E-Mail. My question is simply "Is this someone creating a telnet session and forging an 
E-Mail and tricking out Exchange or is this someone who has compromised my server and is now trying to gain control 
of some E-Mail?"



The log makes it look not hand-typed.  Do you have any sort of script
someone might have hit to generate such a mail?  For example, some sort of
CGI mail script someone is poking at for holes?  Since the machine is
named GATE, does it also have an external interface with a routable
address?

                                        Ryan
Previous By Date Next
Previous By Thread Next

Current thread: