fw.suse.com compromised? - openSUSE Security - openSUSE Mailing Lists

newer
Problem with IPSec and...

fw.suse.com compromised?

older
Using CryptoAPI

Kastus

1 Nov 2003 1 Nov '03

08:09

Hello, I just received a james virus message originated at fw.suse.com (209.3.226.225) I checked both mail log and firewall log, connection was from 209.3.226.225 Did anybody else receive that? Does it mean that fw.suse.com was compromised? Thanks, -Kastus

Reply

Sign in to reply online Use email software

Show replies by date

Chris Donaldson

1 Nov 1 Nov

08:53

New subject: [suse-security] fw.suse.com compromised?

Kastus wrote:

Hello,

I just received a james virus message originated at fw.suse.com (209.3.226.225) I checked both mail log and firewall log, connection was from 209.3.226.225

Did anybody else receive that? Does it mean that fw.suse.com was compromised?

Thanks, -Kastus

Generally that just means someone just spoofed the from header on the email and not comprimised anything... It's a pretty simple process and spammers have a habit of doing it fairly regularly. -- Chris

Reply

Sign in to reply online Use email software

Kastus

09:06

New subject: [suse-security] fw.suse.com compromised?

On Sat, Nov 01, 2003 at 03:53:01AM -0500, Chris Donaldson wrote:

Kastus wrote:

...
Hello,

I just received a james virus message originated at fw.suse.com (209.3.226.225) I checked both mail log and firewall log, connection was from 209.3.226.225

Did anybody else receive that? Does it mean that fw.suse.com was compromised?

Generally that just means someone just spoofed the from header on the email and not comprimised anything... It's a pretty simple process and spammers have a habit of doing it fairly regularly.

Spoofing the header is one thing, but spoofing source IP address in TCP connection is a different thing. Please read my post again. In my case, the TCP connection to port 25 was coming from 209.3.226.225, which resolves to fw.suse.com. This fact raised my suspicions. It means either that DNS is compromised, or fw.suse.com host is compromised. Thanks, -Kastus

Reply

Sign in to reply online Use email software

John Andersen

09:09

New subject: [suse-security] fw.suse.com compromised?

On Saturday 01 November 2003 00:06, Kastus wrote:

This fact raised my suspicions. It means either that DNS is compromised, or fw.suse.com host is compromised.

Or fw.suse.com is a firewall behind which there is an infected windows machine. What ho! A windows machine at SuSE!?!? Say it ain't so SuSE Folks!! -- _____________________________________ John Andersen

Reply

Sign in to reply online Use email software

Roman Drahtmueller

14:25

New subject: [suse-security] fw.suse.com compromised?

...
This fact raised my suspicions. It means either that DNS is compromised, or fw.suse.com host is compromised.

Or fw.suse.com is a firewall behind which there is an infected windows machine. What ho! A windows machine at SuSE!?!? Say it ain't so SuSE Folks!!

fw.suse.com is the Oakland subsidiary. This is of course possible - there are not only cracks working at SUSE. We'll have a look at it. Thanks, Roman. -- - - | Roman Drahtmüller // Nail here | SUSE Linux AG - Security Phone: // for a new | Nürnberg, Germany +49-911-740530 // monitor! --> [x] | - -

Reply

Sign in to reply online Use email software

Arjen Runsink

17:23

New subject: [suse-security] fw.suse.com compromised?

This is of course possible - there are not only cracks working at SUSE. We'll have a look at it.

"Sell what you use, use what you sell" Anyway, if you want to test interoperability between a server and heterogeneous workstations, well, you need to test some of the niche-players too.

Reply

Sign in to reply online Use email software

Ken Schneider

11:52

New subject: [suse-security] fw.suse.com compromised?

-----Original Message----- From: Kastus To: suse-security@suse.com Date: Sat, 1 Nov 2003 01:06:37 -0800 Subject: Re: [suse-security] fw.suse.com compromised?

On Sat, Nov 01, 2003 at 03:53:01AM -0500, Chris Donaldson wrote:

...
Kastus wrote:

...
Hello,

I just received a james virus message originated at fw.suse.com (209.3.226.225) I checked both mail log and firewall log, connection was from 209.3.226.225

Did anybody else receive that? Does it mean that fw.suse.com was compromised?

Generally that just means someone just spoofed the from header on the email and not comprimised anything... It's a pretty simple process and spammers have a habit of doing it fairly regularly.

Spoofing the header is one thing, but spoofing source IP address in TCP connection is a different thing. Please read my post again.

In my case, the TCP connection to port 25 was coming from 209.3.226.225, which resolves to fw.suse.com.

This fact raised my suspicions. It means either that DNS is compromised, or fw.suse.com host is compromised.

Thanks, -Kastus

I have to agree with Kastus. I also received one of these and it went ot my home address which is given out very little. One case of it being used was for the purchase of the 9.0 upgrade. Seems rather strange that the fw.suse.com site comes up in the email AND names of suse users or purchasers. Ken Schneider

Reply

Sign in to reply online Use email software

Chris Donaldson

21:04

New subject: [suse-security] fw.suse.com compromised?

Ken Schneider wrote:

-----Original Message----- From: Kastus To: suse-security@suse.com Date: Sat, 1 Nov 2003 01:06:37 -0800 Subject: Re: [suse-security] fw.suse.com compromised?

...
On Sat, Nov 01, 2003 at 03:53:01AM -0500, Chris Donaldson wrote:

...
Kastus wrote:

...
Hello,

I just received a james virus message originated at fw.suse.com (209.3.226.225) I checked both mail log and firewall log, connection was from

209.3.226.225

...
...
Did anybody else receive that? Does it mean that fw.suse.com was compromised?

Generally that just means someone just spoofed the from header on the email and not comprimised anything... It's a pretty simple process

and

...
spammers have a habit of doing it fairly regularly.

Spoofing the header is one thing, but spoofing source IP address in TCP connection is a different thing. Please read my post again.

In my case, the TCP connection to port 25 was coming from 209.3.226.225, which resolves to fw.suse.com.

This fact raised my suspicions. It means either that DNS is compromised, or fw.suse.com host is compromised.

Thanks, -Kastus

Ahhh sorry I misread... Or rather was overtired and didn't read. In either case that it definately bizarre.

-- Chris

I have to agree with Kastus. I also received one of these and it went ot my home address which is given out very little. One case of it being used was for the purchase of the 9.0 upgrade. Seems rather strange that the fw.suse.com site comes up in the email AND names of suse users or purchasers.

Ken Schneider

Reply

Sign in to reply online Use email software

John Andersen

09:08

New subject: [suse-security] fw.suse.com compromised?

On Friday 31 October 2003 23:53, Chris Donaldson wrote:

Kastus wrote:

...
Hello,

I just received a james virus message originated at fw.suse.com (209.3.226.225) I checked both mail log and firewall log, connection was from 209.3.226.225

Did anybody else receive that? Does it mean that fw.suse.com was compromised?

Thanks, -Kastus

Generally that just means someone just spoofed the from header on the email and not comprimised anything... It's a pretty simple process and spammers have a habit of doing it fairly regularly.

-- Chris

Chris, you didn't read what Kastus said. He check the firewall log and the mail log. Thats significantly harder to fake than a mail header. -- _____________________________________ John Andersen

Reply

Sign in to reply online Use email software

7488

Age (days ago)

7488

Last active (days ago)

Download

8 comments

6 participants

tags

participants (6)

Arjen Runsink
Chris Donaldson
John Andersen
Kastus
Ken Schneider
Roman Drahtmueller