[unisog] Help on Possible Web Mail Attack

Tim Lane tlane at scu.edu.au
Thu Jun 16 06:40:50 GMT 2005


Hi All,

I have a query regarding a possible hack on our new Sun Web mail system. Is 
anyone able to help with a query. We have just gone live for POP web mail 
and have noticed one of our test web mail accounts appears to have been 
compromised or hi-jacked, by multiple timeouts whereby another IP address 
was reported as using the session.

Is the below log report just reflective of a seemingly innocuous web bot of 
some type, or perhaps a hacker hiding behind Google range...???

[16/Jun/2005:10:11:01 +1000] boson httpd[8402]: General Warning: ipsecurity
- client 10.133.25.9 attempted to use session 6FmTS7qLDiU belonging to
64.233.172.2

The 64.233 address actually resolves back to Google........

We are running Sun Java Enterprise System 2.0 with UWC multiplexes deployed 
at the front of the firewall talking back to the email back end behind the 
firewall.
Our main questions are:

Any other ideas, hints, suggestions or fixes etc etc would be very appreciated.

Thanks,

Tim Lane
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20050616/29a45708/attachment.htm


More information about the unisog mailing list