Re: Compromised email accounts



Man Alive <nopsam@xxxxxxxxxxx> writes:

I'm in an IT department in a small community college that offers
emails, wireless, VPN to students.

Lately we have been having spammers access student email accounts and
sending spam. We are researching how the the account details were
obtained.

I have looked in the server logs and noticed a number of successful
authentications from a suspicious IP; the authentications were to ~50
accounts. It looked like someone was testing if accounts from a list
had the correct credentials: the authentications were run via script.

Question: Are these type of account details bought and sold? I have a
feeling that someone bought set of college accounts and ran a script
to evaluate which were still working. About a month later the spam
started.

What web based email software are you running? Is it or was it
susceptible to SQL injection whereby the attacker may have dumped the
passwords for all email accounts?

It's also possible that keylogging trojans on shared computers mights
be to blame as well.

The first step would be to force a password change on the affected
accounts of course, then keep an eye on things while you try to
figure out how they got the accounts. Patching is one possibility.

Good luck, post back.

Best Regards,
--
Todd H.
http://www.toddh.net/
.