[unisog] Help on Possible Web Mail Attack

Frank Sweetser fs at WPI.EDU
Thu Jun 16 13:03:11 GMT 2005


On Thu, Jun 16, 2005 at 04:40:50PM +1000, Tim Lane wrote:
> Hi All,
> 
> I have a query regarding a possible hack on our new Sun Web mail system. Is 
> anyone able to help with a query. We have just gone live for POP web mail 
> and have noticed one of our test web mail accounts appears to have been 
> compromised or hi-jacked, by multiple timeouts whereby another IP address 
> was reported as using the session.
> 
> Is the below log report just reflective of a seemingly innocuous web bot of 
> some type, or perhaps a hacker hiding behind Google range...???
> 
> [16/Jun/2005:10:11:01 +1000] boson httpd[8402]: General Warning: ipsecurity
> - client 10.133.25.9 attempted to use session 6FmTS7qLDiU belonging to
> 64.233.172.2
> 
> The 64.233 address actually resolves back to Google........

Perhaps the user in question is using Google Web Accelerator?

http://webaccelerator.google.com/

-- 
Frank Sweetser fs at wpi.edu  |  For every problem, there is a solution that
WPI Network Engineer          |  is simple, elegant, and wrong. - HL Mencken
    GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC


More information about the unisog mailing list