NetWare/GroupWise Gurus,
Thanks again to those of you who responded to my last plea for help regarding the repeated failed login attempts emanating from my mail server. Jeff Wallis (as well as a friend of Bjorn's named Jonathan Czar from Castleton) replied off list suggesting that GW WebAccess might be the culprit. Bingo! I shutdown the WebAccess agent and the logins stopped immediately. And I'm relieved to discover that, apparently, there is no hacking going on, just software misbehavior.
Why didn't I, myself, catch on that the problem was with the WebAccess agent? Stupidity, primarily. But also because WebAccess is running beautifully. So wherefore all these repeated login attempts (every 20 seconds)? And, once I went back to actually allowing "Super" to log in from the mail server's address, I began getting intruder lockouts in addition to just plain "failed logins". I checked the WebAccess config file and the password listed is correct, so what's going on? (BTW, the failed logins are to eDirectory in general, not solely to the box running the WebAccess app; they migrate from NetWare server to NetWare server depending on who's listening at the time.)
I guess I don't feel that a remedy is quite so urgent now that it seems it isn't a hacking job, but I'd like to clear up all this wasted activity and, also, just figure out - or have you figure out :-) - what the heck is going on.
-Vince
--
Vincent Rossano
Information Technology Director
Montpelier Public Schools
Montpelier, VT 05602
(802) 225-8690
>>> On 4/9/2007 at 12:41 PM, "Jeff Wallis" <[log in to unmask]> wrote:
> Just some thoughts...
>
> Is webaccess running on this server or a post office? Both of these use
> proxy users (webaccess to connect to the primary database and the post office
> for the library documents). Are the times random? It could be that every
> time someone opens their web access or mail client - it tries to use one of
> these proxy users.
>
> You can look in your webacces startup file which would be in the sys:\system
> folder called something like WEBAC70A.WAA. It would be under the nlm
> specific switches section.
>
> Jeff
>
>
> This e-mail may contain information protected under the Family Educational
> Rights and Privacy Act (FERPA). If this e-mail contains student information
> and you are not entitled to access such information under FERPA, please
> notify the sender. Federal regulations require that you destroy this e-mail
> without reviewing it and you may not forward it to anyone.
>
>>>> Vince Rossano <[log in to unmask]> 4/9/2007 12:05 AM >>>
> I wanted to post of follow-up to my request for help (over a week ago)
> regarding the password hacking seemingly happening on my network. Thanks
> again to the four Mikes and Bjorn ("Bjorn" must be the Swedish version of
> "Mike" :-) ) for taking the time to respond. Thoiugh the problem has not been
> solved, I have isolated it to a surprising source: the email server itself.
>
> If you recall, my problem was that repeated login attempts (one every 20
> seconds or so) were being made on one of my admin accounts seemingly
> emanating from my mail server (GroupWise running on NetWare). My assumption
> was that the actual source of the login attempts was elsewhere, but that they
> were somehow being passed through the mail server. When I cut the mail
> server off from the Internet, the login attempts continued, so I surmised
> they were coming from within.
>
> Okay, so I followed the suggestion of a couple of the Mikes and shutdown
> connections port by port, watching to see when the logins would stop. They
> never did. Ultimately, I isolated the mail server completely but it's logger
> screen continued to show the login attempt messages, e.g.:
> 23:30:04 Dir Login: UserId .super.mps
> 23:30:04 Dir Login: changed to .cn=super.mps
>
> So it is occurring on the server itself and I'm not sure how. Is it some
> sort of malicious attack that's been planted on the server, or is some
> service on that server misbehaving and repeatedly attempting to log in with
> the wrong password? Or something even weirder?
>
> Other crises developed last week and I was forced to let this issue ride for
> a while. There isn't any danger of password cracking now because I've
> limited the login addresses for this account to a couple of workstations; the
> account in question can't login at all from the mail server so the password
> isn't even being read now.
>
> If anyone has any further ideas, I'd be pleased to hear them. Otherwise, if
> I ever figure it out, I'll let you all know.
>
> -Vince
|
