Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Someone trying to hack email account password

Status
Not open for further replies.
jjtbt

jjtbt

MIS
Sep 26, 2001
57
US
We use Groupwise and noticed that for over a day exactly every 5 minutes, this showed up in our gateway log:

Accepted POP3 connection with: ##.##.##.##
POP3 command: USER <username>
GroupWise login failed: 8209
POP3 command: QUIT
POP3 session ended: ##.##.##.##

So I'm assuming that someone was using some automated bot to find out this user's password. Unfortunately, the entry in the log does not show the ip address this was coming from.

What could I have used to show what ip address this traffic was coming from?

It doesn't show up in our Sonicwall logs since that only shows what is being blocked and our ISP was no help.
 
Sort by date Sort by votes
I don't run the GWIA so I can't help, but you should post this in the Groupwise forum. Others who run the GWIA can probably suggest something...


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 
Upvote 0 Downvote
This is a good reason to have strong passwords.
:)

For things like root & admin passwords, I have a set of dice that I roll to create random passwords:


If you roll a "wild" value, use a dollar-sign or other punctuation symbol (or space, if allowed). Use a d10 to add some numbers to it:


Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first
 
Upvote 0 Downvote
I will post in the Groupwise forum (and we use strong passwords, so it would have taken this hacker quite a long time to hack that particular password).

It was more a question of was there some utility or software I could have run on our network outside of Groupwise that would have captured that particular POP3 traffic so I could have determined what external IP address was attacking? We actually have an idea of who the culprit was, but have no proof of it. Thanks for any help anyone can provide...
 
Upvote 0 Downvote
Misunderstood your question, sorry. Sure, you can use a network sniffer to trap the traffic to your server. I prefer WireShark (formerly Ethereal).

If you're running GW on linux or windows you can simply install WireShark on the server. If you're running it on Netware things are a little trickier, since they don't have a version of WireShark for Netware.

If you don't want to install WireShark on your server or you're running Netware, install it on a laptop. Then insert a simple 4 port hub between your network switch and your server. Plug the laptop into the same hub and it will be able to "see" the traffic headed to the server.


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 
Upvote 0 Downvote
Great! That's just the info I needed...we do run it on Netware so I will test out your suggestion of using the hub. Thanks so much for the help!
 
Upvote 0 Downvote
Some network switches will allow you to "monitor" or "mirror" traffic from one switch port to another. If your switch will let you do this, hook WireShark up to the the monitor port. Otherwise you'll need the hub.



"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 
Upvote 0 Downvote
I'll check on the specs of the switch to see if this one has that option...thanks again!
 
Upvote 0 Downvote
Is it the same user and the same password each time? Or is it a differing password each time?

Could someone have a misconfigured email client, checking for POP mail every 5 minutes, with the wrong saved password?
 
Upvote 0 Downvote
Same user every time, but no way to tell what password is being tried. At this point we have talked to the user and are sure of who was trying to hack the account. But if I see it in the logs again, I'll want to try all the suggestions so we can have better information.
 
Upvote 0 Downvote
I have dummies trying that on my FTP server, so I have incoming requests allocated for 56KBps...lol
I use Wire Shark myself, and most are from China (probably proxies), but I then go to and plug the IP in, and usually find a few class A blocks I can deny with acl's in my router.

Burt
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2
  • Locked
  • Question
Neighbor Hack
Replies
2
Views
508
27Astrid
2
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
283
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
301
Johnkite
Johnkite
w5000
  • Locked
  • Question
password
Replies
0
Views
68
w5000
w5000
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
245
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top