OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [suse-security] fw.suse.com compromised?

From: Chris Donaldson (serlinengsoc.org)
Date: Sat Nov 01 2003 - 15:04:37 CST

Ken Schneider wrote:

>-----Original Message-----
>From: Kastus <NOSPAMtprfct.net>
>To: suse-securitysuse.com
>Date: Sat, 1 Nov 2003 01:06:37 -0800
>Subject: Re: [suse-security] fw.suse.com compromised?
>
>
>
>>On Sat, Nov 01, 2003 at 03:53:01AM -0500, Chris Donaldson wrote:
>>
>>
>>>Kastus wrote:
>>>
>>>
>>>
>>>>Hello,
>>>>
>>>>I just received a james virus message originated at fw.suse.com
>>>>(209.3.226.225)
>>>>I checked both mail log and firewall log, connection was from
>>>>
>>>>
>>209.3.226.225
>>
>>
>>>>Did anybody else receive that? Does it mean that fw.suse.com was
>>>>compromised?
>>>>
>>>>
>>>>
>>>>
>>>Generally that just means someone just spoofed the from header on the
>>>email and not comprimised anything... It's a pretty simple process
>>>
>>>
>>and
>>
>>
>>>spammers have a habit of doing it fairly regularly.
>>>
>>>
>>Spoofing the header is one thing, but spoofing source IP address in
>>TCP connection is a different thing. Please read my post again.
>>
>>In my case, the TCP connection to port 25 was coming from
>>209.3.226.225,
>>which resolves to fw.suse.com.
>>
>>This fact raised my suspicions. It means either that DNS is
>>compromised,
>>or fw.suse.com host is compromised.
>>
>>Thanks, -Kastus
>>
>>
Ahhh sorry I misread... Or rather was overtired and didn't read. In
either case that it definately bizarre.

--
Chris

>I have to agree with Kastus. I also received one of these and it went ot
>my home address which is given out very little. One case of it being used
>was for the purchase of the 9.0 upgrade. Seems rather strange that the
>fw.suse.com site comes up in the email AND names of suse users or purchasers.
>
>Ken Schneider
>
>
>

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here