Mukund Deshmukh saw fit to inform LI that:
>Oh! Not again.
again in fact.
>I did some research this. Here are my observation.
>1. The spammer is using two Indian and two Korean server for sending the
>mail. Out of 4 server 3 server are ( I did not check the iimb.ernet ) in
>very bad shape. And very easy to hack an account on them. All of them
_all_ the servers involved are in bad shape. IIMB's webserver has been
relayed through - and it is an SGI box, which (all apologies to Raju)
should not be used as a production server, it has too many security holes
for that. As a workstation it is fantastic though.
>have number of open ports for which exploits have been posted on the net.
>2. The finger log of one of the Korean server was quit confusing and lots
>of user with login name as a simple number were found.
Actually, our friend here seems to have gained some access to the korean
server (even root, perhaps) and is telneting there, and from there, to
port 25 of the open relay servers (iimb and aiims).
>3. All the server have Netscape administrative server running which is
>another source of account hacking.
Netscape's Messaging Server and Web Server are actually very good
products. Only, these guys are running outdated and misconfigured
versions of the software.
Even the Netscape docs for this are slightly broken - the best howto I
have seen is at http://www.tsc.com/~bobp (by Bob Poortinga, Technology
Service Consultants).
>3. IMHO the spammer has hacked both the Korean server and now has account on
>them. He is sending mail by logging to these server and using smtp of Indian
>server.
Correct.
>4. One long shot is that he might have taken dry run of his activity in past
>to test his route. It will be worth to check the mail of one month or so for
>the occurrence of IP addresses which have appeared in these mail.
If the server admins are sensible enough to maintain logs, and have
configured their servers properly to allow logging that is.
--
Suresh Ramasubramanian + [EMAIL PROTECTED]
Census Taker to Housewife: Did you ever have the measles, and, if so,
how many?
-----------------------------------------------------------------------
The LIH mailing list archives are available at:
http://lists.linux-india.org/cgi-bin/wilma/linux-india-help
