Mailinglist Archive: opensuse-security (220 mails)

< Previous Next >
Re: [suse-security] compromised?
  • From: Kastus <NOSPAM@xxxxxxxxxx>
  • Date: Sat, 1 Nov 2003 01:06:37 -0800
  • Message-id: <20031101090637.GA24998@xxxxxxxxxx>
On Sat, Nov 01, 2003 at 03:53:01AM -0500, Chris Donaldson wrote:
> Kastus wrote:
> >Hello,
> >
> >I just received a james virus message originated at
> >(
> >I checked both mail log and firewall log, connection was from
> >
> >Did anybody else receive that? Does it mean that was
> >compromised?
> >
> >
> Generally that just means someone just spoofed the from header on the
> email and not comprimised anything... It's a pretty simple process and
> spammers have a habit of doing it fairly regularly.

Spoofing the header is one thing, but spoofing source IP address in
TCP connection is a different thing. Please read my post again.

In my case, the TCP connection to port 25 was coming from,
which resolves to

This fact raised my suspicions. It means either that DNS is compromised,
or host is compromised.

Thanks, -Kastus

< Previous Next >
List Navigation