Mailinglist Archive: opensuse-security (220 mails)

< Previous Next >
Re: [suse-security] fw.suse.com compromised?
  • From: Chris Donaldson <serlin@xxxxxxxxxx>
  • Date: Sat, 01 Nov 2003 16:04:37 -0500
  • Message-id: <3FA41FE5.7000207@xxxxxxxxxx>
Ken Schneider wrote:

-----Original Message-----
From: Kastus <NOSPAM@xxxxxxxxxx>
To: suse-security@xxxxxxxx
Date: Sat, 1 Nov 2003 01:06:37 -0800
Subject: Re: [suse-security] fw.suse.com compromised?


On Sat, Nov 01, 2003 at 03:53:01AM -0500, Chris Donaldson wrote:

Kastus wrote:


Hello,

I just received a james virus message originated at fw.suse.com (209.3.226.225)
I checked both mail log and firewall log, connection was from

209.3.226.225

Did anybody else receive that? Does it mean that fw.suse.com was compromised?



Generally that just means someone just spoofed the from header on the
email and not comprimised anything... It's a pretty simple process

and
spammers have a habit of doing it fairly regularly.

Spoofing the header is one thing, but spoofing source IP address in TCP connection is a different thing. Please read my post again.

In my case, the TCP connection to port 25 was coming from
209.3.226.225, which resolves to fw.suse.com.

This fact raised my suspicions. It means either that DNS is
compromised,
or fw.suse.com host is compromised.

Thanks, -Kastus

Ahhh sorry I misread... Or rather was overtired and didn't read. In either case that it definately bizarre.

--
Chris

I have to agree with Kastus. I also received one of these and it went ot
my home address which is given out very little. One case of it being used
was for the purchase of the 9.0 upgrade. Seems rather strange that the
fw.suse.com site comes up in the email AND names of suse users or purchasers.

Ken Schneider




< Previous Next >
List Navigation