| View previous topic :: View next topic |
| Author |
Message |
dol-sen
Retired Dev
Joined: 30 Jun 2002
Posts: 2805
Location: Richmond, BC, Canada
|
 Posted: Wed Dec 10, 2003 6:20 am Post subject: Has my gentoo box/lan been compromized??? (solved) |
 |
|
I just subscribed to a gentoo-dev mail list and the confirmation email shows my email being sent from a windows box in my lan. My gentoo box shows up later in the header. Is it likely my box or others in my lan has been compromized??
"damian" is a windows box, "big_squirt" is my gentoo box, Edited ISP & domain for security.
| Code: | Return-Path: <dol-sen@myisp.net>
Received: (qmail 24010 invoked from network); 9 Dec 2003 22:57:07 -0600
Received: from defout.myisp.net (HELO priv-edtnes46.myisp.net) (199.185.???.???)
by mail.gentoo.org with SMTP; 9 Dec 2003 22:57:07 -0600
Received: from damian.dol-sen.mylan ([207.6.???.???])
by priv-edtnes46.myisp.net
(InterMail vM.6.00.05.02 201-2115-109-103-20031105) with ESMTP
id 20031210045706.UNPV20134.priv-edtnes46.myisp.net@damian.dol-sen.mylan>
for <gentoo-portage-dev-subscribe@gentoo.org>;
Tue, 9 Dec 2003 21:57:06 -0700
Subject:
From: Brian <dol-sen@myisp.net>
To: gentoo-portage-dev-subscribe@gentoo.org
Content-Type: text/plainMessage-Id: <1071032274.1652.2.camel@big_squirt.dol-sen.mylan>
Mime-Version: 1.0X-Mailer: Ximian Evolution 1.4.5
Date: Tue, 09 Dec 2003 20:57:54 -0800
Content-Transfer-Encoding: 7bit |
If it is NOT a compromise, then why is my mail have another boxes id????
All help is greatly apreciated.
_________________
Brian
Porthole, the Portage GUI frontend irc@freenode: #gentoo-guis, #porthole, Blog
layman, gentoolkit, CoreBuilder, esearch...
Last edited by dol-sen on Thu Dec 11, 2003 6:42 am; edited 1 time in total |
|
| Back to top |
|
 |
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54834
Location: 56N 3W
|
| Posted: Wed Dec 10, 2003 10:40 am Post subject: |
|
|
dol-sen,
It looks like the windows box is running a mail server for your network.
NeddySeagoon
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
dol-sen
Retired Dev
Joined: 30 Jun 2002
Posts: 2805
Location: Richmond, BC, Canada
|
| Posted: Wed Dec 10, 2003 2:34 pm Post subject: |
|
|
I don't think she even uses outlook express on her computer, usually hotmail, yahoo mail. I checked my configuration and everything points to my ISP's mail server, the gateway/firewall is not suppose to be redirecting anything.
The only thing I could think of is maybe her box had been penetrated and somehow they rooted my system and monitor my mail?
I'll check to see what is running on her box.
_________________
Brian
Porthole, the Portage GUI frontend irc@freenode: #gentoo-guis, #porthole, Blog
layman, gentoolkit, CoreBuilder, esearch... |
|
| Back to top |
|
|
fleed
l33t
Joined: 28 Aug 2002
Posts: 756
Location: London
|
| Posted: Wed Dec 10, 2003 3:13 pm Post subject: |
|
|
| Could it be just confusion about the ip addresses? |
|
| Back to top |
|
|
dol-sen
Retired Dev
Joined: 30 Jun 2002
Posts: 2805
Location: Richmond, BC, Canada
|
| Posted: Thu Dec 11, 2003 2:12 am Post subject: |
|
|
Well, I checked her box. only thing running was
Explorer
Msnmsgr
Winoldap
Rundll32
Systray
Anyone know what Winoldap is?
Or could this have been caused by a buggy Linksys firewall?
_________________
Brian
Porthole, the Portage GUI frontend irc@freenode: #gentoo-guis, #porthole, Blog
layman, gentoolkit, CoreBuilder, esearch... |
|
| Back to top |
|
|
Doomwookie
Tux's lil' helper
Joined: 07 Oct 2003
Posts: 143
Location: Dayton, Oh
|
| Posted: Thu Dec 11, 2003 4:19 am Post subject: |
|
|
That is a generic name for an old 16bit windows app. Some old viri run as 16bit windows apps. Has she installed any old shareware recently?
_________________
Doomwookie
Toshiba Satellite P25-S607
Gentoo/Windows MCE Dualboot |
|
| Back to top |
|
|
dol-sen
Retired Dev
Joined: 30 Jun 2002
Posts: 2805
Location: Richmond, BC, Canada
|
| Posted: Thu Dec 11, 2003 6:13 am Post subject: |
|
|
She may very well have.
Ive done more testing. With the damian box disconnected from the lan, my box rebooted, it still has damian as the sender. I also tried subscribing to a list using our laptop/windows-XP. The laptop return confirmation came back clean without damian as the sender.
I have checked /etc/hostname, resolve.conf, /etc/conf.d/net all to no avail. The only reference to the damian box was in /etc/hosts, I changed the name to check if that is where it is coming from. I also found that /etc/nisdomainname was not created in /etc for my domain name, I have now created that.
Well now to reboot and check if anything is different.
_________________
Brian
Porthole, the Portage GUI frontend irc@freenode: #gentoo-guis, #porthole, Blog
layman, gentoolkit, CoreBuilder, esearch...
Last edited by dol-sen on Thu Dec 11, 2003 6:42 am; edited 1 time in total |
|
| Back to top |
|
|
dol-sen
Retired Dev
Joined: 30 Jun 2002
Posts: 2805
Location: Richmond, BC, Canada
|
| Posted: Thu Dec 11, 2003 6:32 am Post subject: |
|
|
Well, I found it!
Apparently every time mail is sent it reads and uses the last entry in the /etc/hosts file to use as the id in the sent mail. Modifying the file with evolution running then sending mail again shows the new change without re-initing anything.
I imagine this is a bug in evolution or the network stuff. I'll have to read up to find out if it is supose to do that.
Thanks for the help.
_________________
Brian
Porthole, the Portage GUI frontend irc@freenode: #gentoo-guis, #porthole, Blog
layman, gentoolkit, CoreBuilder, esearch... |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
