|
Posted by Hans Wolters on May 23, 2008, 5:41 pm
If you were Registered and logged in, you could reply and use other advanced thread options >
>> I'm in an IT department in a small community college that offers
>> emails, wireless, VPN to students.
>>
>> Lately we have been having spammers access student email accounts and
>> sending spam. We are researching how the the account details were
>> obtained.
>>
>> I have looked in the server logs and noticed a number of successful
>> authentications from a suspicious IP; the authentications were to ~50
>> accounts. It looked like someone was testing if accounts from a list
>> had the correct credentials: the authentications were run via script.
>>
>> Question: Are these type of account details bought and sold? I have a
>> feeling that someone bought set of college accounts and ran a script
>> to evaluate which were still working. About a month later the spam
>> started.
>
> What web based email software are you running? Is it or was it
> susceptible to SQL injection whereby the attacker may have dumped the
> passwords for all email accounts?
>
> It's also possible that keylogging trojans on shared computers mights
> be to blame as well.
>
> The first step would be to force a password change on the affected
> accounts of course, then keep an eye on things while you try to
> figure out how they got the accounts. Patching is one possibility.
Compromised clients are indeed a burdon. Patching might fix it somewhat
but making sure it is secured might be a better solution. Start using
browser certificates might be a start.
I do not think students are selling them, or they should be able to crack
their fellow student accounts. In that case it might be good to look at
the procedure of changing passwords. Do not let people use simple ones.
> Good luck, post back.
>
*nod*
Hans
--
IM: hans.wolters@jabber.xs4all.nl
| 
XML site map