-----Ursprüngliche Nachricht-----
Von: Daniel Schulz [i-smo] [mailto:daniel@i-smo.de]
Gesendet: Montag, 26. August 2002 11:02
An: 'Mario Ohnewald'; 'suse-security@suse.com'
Betreff: AW: [suse-security] I think i got "hacked" (german)
Hi,
from your description I get that one of your Linux boxes is a router. I
dont think that a possible attacker got into the W2k Box of your sister.
And a professional would not spend much time into "hacking" your sisters
box.
In my opinion, its whether someone who knows your sister and wants to
joke on her, or he probably guessed the password of her Webmail account.
Best regards,
Daniel Schulz
-----Ursprüngliche Nachricht-----
Von: Mario Ohnewald [mailto:mario.ohnewald@gmx.de]
Gesendet: Montag, 26. August 2002 10:46
An: suse-security@suse.com
Betreff: [suse-security] I think i got "hacked" (german)
Hi!
As i came back from my holiday my sister showed me this email she got:
< START >
Received: from [172.20.1.104] (helo=mailgate6.cinetic.de) by mx06.web.de
with esmtp (WEB.DE(Exim) 4.75 #2) id 17hHVy-0004sp-01 for
grundwasser16@web.de; Wed, 21 Aug 2002 00:30:18 +0200 Received: from
hotmail.com (f176.law11.hotmail.com [64.4.17.176]) by
mailgate6.cinetic.de
(8.11.2/8.11.2/WEBDE Linux 8.11.0-0.2) with ESMTP id g7KLA2w06138 for
; Tue, 20 Aug 2002 23:10:02 +0200 Received: from
mail
pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 20 Aug 2002
14:09:58 -0700 Received: from 217.233.67.236 by
lw11fd.law11.hotmail.msn.com
with HTTP; Tue, 20 Aug 2002 21:09:58 GMT X-Originating-IP:
[217.233.67.236]
From: "R K" To: grundwasser16@web.de Subject:
Hallo
Sissy... !!!! Date: Tue, 20 Aug 2002 23:09:58 +0200 Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed Message-ID:
X-OriginalArrivalTime: 20 Aug
2002
21:09:58.0686 (UTC) FILETIME=[F0C583E0:01C2488D]
Content-Transfer-Encoding:
quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by
mailgate6.cinetic.de id g7KLA2w06138
Na, wie geht´s dem Freund???
Na ja, egal, mit 17 ist ja noch alles offen, und vielleicht findet sich
beim
chatten ja was richtiges.
Oder ist bei Euch in Lorch nix los?? Kann ja mal anrufen bei Dir:
071xx/9155xx
Was machst Du so, wenn du mal nicht im Internet surfst und deine Spuren
hinterlässt???
Wie sieht´s mit der Mittleren Reife aus? Alles gut überstanden??
Na ja, wer immer "Wer wird Millionär" schaut, kann ja gar nicht schlecht
sein... grins...
Du solltest Dich mal ERNSTHAFT mit Mario unterhalten, schliesslich
sollte er
ja "vom Fach" sein...
Vielleicht weiss er ja, WOHER ICH ALL DEINE DATEN HABE, OBWOHL ICH
HUNDERTE
KM ENTFERNT BIN!!!!!!
THINK SAFE!!!
KEEP YOUR PC SAFE!!!!
Greetzzzz vom HACKerKinG
PS ich habe weder mit dir jemals gechatted noch kenne ich dich in
irgendeiner form ... UND TROZDEM IST NICHTS FIKTIV!
Bedenke BIG BROTHER IS WATCHING YOU!!
Ask for more!!!!!
... and youll get the answer
_________________________________________________________________
Mit MSN Fotos können Sie kinderleicht Ihre Fotos ausdrucken und Freunden
zur
Verfügung stellen: http://photos.msn.de
http://photos.msn.de>
< STOP >
I am running 2 PCs, SuSE7.3 (PDC, Web, Mail, edonkey, ircd. Not updated
for
23days) and SuSE7.2 (SuSEfirewall2. not updated for 13days).
I could not find anything interesing in my logfiles. Seems like he never
touched my server, but if he really got in i would not find the tracks
anyway, her will have removed them.
But i doubt that he is a professional. His name does look like a script
kiddy, his mailaddress at hotmail is a sign for a scriptkiddy, too.
Not logs from a network scanner, nothing. I hope that he just got in
contact
with the w2k client, not with my servers.
The w2k SP2 workstation where my sister works on was not infected by a
trojan (Scanned by norton anti virus 2002).
What do i do next, how can i dected my security hole?
I want to find the hole, before i install my Servers again.
Any tip, hint, would be great!
Thanks!
Mario Ohnewald
p.s. I hope i have told you everything you have to know.
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here