RE: [suse-security] I think i got "hacked" (german)

-----Ursprüngliche Nachricht----- Von: Daniel Schulz [i-smo] [mailto:daniel@i-smo.de] Gesendet: Montag, 26. August 2002 11:02 An: 'Mario Ohnewald'; 'suse-security@suse.com' Betreff: AW: [suse-security] I think i got "hacked" (german) Hi, from your description I get that one of your Linux boxes is a router. I dont think that a possible attacker got into the W2k Box of your sister. And a professional would not spend much time into "hacking" your sisters box. In my opinion, its whether someone who knows your sister and wants to joke on her, or he probably guessed the password of her Webmail account. Best regards, Daniel Schulz -----Ursprüngliche Nachricht----- Von: Mario Ohnewald [mailto:mario.ohnewald@gmx.de] Gesendet: Montag, 26. August 2002 10:46 An: suse-security@suse.com Betreff: [suse-security] I think i got "hacked" (german) Hi! As i came back from my holiday my sister showed me this email she got: < START > Received: from [172.20.1.104] (helo=mailgate6.cinetic.de) by mx06.web.de with esmtp (WEB.DE(Exim) 4.75 #2) id 17hHVy-0004sp-01 for grundwasser16@web.de; Wed, 21 Aug 2002 00:30:18 +0200 Received: from hotmail.com (f176.law11.hotmail.com [64.4.17.176]) by mailgate6.cinetic.de (8.11.2/8.11.2/WEBDE Linux 8.11.0-0.2) with ESMTP id g7KLA2w06138 for ; Tue, 20 Aug 2002 23:10:02 +0200 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 20 Aug 2002 14:09:58 -0700 Received: from 217.233.67.236 by lw11fd.law11.hotmail.msn.com with HTTP; Tue, 20 Aug 2002 21:09:58 GMT X-Originating-IP: [217.233.67.236] From: "R K" To: grundwasser16@web.de Subject: Hallo Sissy... !!!! Date: Tue, 20 Aug 2002 23:09:58 +0200 Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Message-ID: X-OriginalArrivalTime: 20 Aug 2002 21:09:58.0686 (UTC) FILETIME=[F0C583E0:01C2488D] Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by mailgate6.cinetic.de id g7KLA2w06138 Na, wie geht´s dem Freund??? Na ja, egal, mit 17 ist ja noch alles offen, und vielleicht findet sich beim chatten ja was richtiges. Oder ist bei Euch in Lorch nix los?? Kann ja mal anrufen bei Dir: 071xx/9155xx Was machst Du so, wenn du mal nicht im Internet surfst und deine Spuren hinterlässt??? Wie sieht´s mit der Mittleren Reife aus? Alles gut überstanden?? Na ja, wer immer "Wer wird Millionär" schaut, kann ja gar nicht schlecht sein... grins... Du solltest Dich mal ERNSTHAFT mit Mario unterhalten, schliesslich sollte er ja "vom Fach" sein... Vielleicht weiss er ja, WOHER ICH ALL DEINE DATEN HABE, OBWOHL ICH HUNDERTE KM ENTFERNT BIN!!!!!! THINK SAFE!!! KEEP YOUR PC SAFE!!!! Greetzzzz vom HACKerKinG PS ich habe weder mit dir jemals gechatted noch kenne ich dich in irgendeiner form ... UND TROZDEM IST NICHTS FIKTIV! Bedenke BIG BROTHER IS WATCHING YOU!! Ask for more!!!!! ... and youll get the answer _________________________________________________________________ Mit MSN Fotos können Sie kinderleicht Ihre Fotos ausdrucken und Freunden zur Verfügung stellen: http://photos.msn.de http://photos.msn.de> < STOP > I am running 2 PCs, SuSE7.3 (PDC, Web, Mail, edonkey, ircd. Not updated for 23days) and SuSE7.2 (SuSEfirewall2. not updated for 13days). I could not find anything interesing in my logfiles. Seems like he never touched my server, but if he really got in i would not find the tracks anyway, her will have removed them. But i doubt that he is a professional. His name does look like a script kiddy, his mailaddress at hotmail is a sign for a scriptkiddy, too. Not logs from a network scanner, nothing. I hope that he just got in contact with the w2k client, not with my servers. The w2k SP2 workstation where my sister works on was not infected by a trojan (Scanned by norton anti virus 2002). What do i do next, how can i dected my security hole? I want to find the hole, before i install my Servers again. Any tip, hint, would be great! Thanks! Mario Ohnewald p.s. I hope i have told you everything you have to know. -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here