Q

Attempted break-in to mail files via program

This Content Component encountered an error

There are several ids for some groups using, for example: M13.id is used by the M13 group. These days, I found that someone attempted to access all people's mail by M13.id recorded in the server log. Of course, he couldn't because of ACL. But if there is something wrong in the ACL of someone's mail database, he will access the mail.

Is there a way to find who attempt to mail? (I guess that the user runs programs to do this, because he can attempt to access a lot of mails in one second.)


Let me make sure I understand what you are saying... Someone using the ID file named M13.id ran a program that tried to read many mail files within one second. All of these attempts failed (except maybe M13's mailfile) because the mailfile ACL prevented access. You want to find out who tried to do this. Assuming this is correct, here is my answer...

The only way I can think to find out the person is by checking the IP address that the attempts came from and matching this IP address to a specific location. This requires you to know two things:

1) What IP address were they using?
2) Where is the computer with this IP address?

Let's look at #1 first... If the hacker is coming in from a Web browser (using Domino as a web server) then the log file DOMLOG.NSF records the IP address of every web access, so you are all set. If the user is coming in from a Notes client over a local area network, the standard log file LOG.NSF does not record the IP address of every access. (If someone knows how to do this, please let me know.) You may need to use a separate network analyzer and tell it to keep a log of all network traffic on TCP/IP port 1352 (the Notes port).

Now let's look at #2.... If the hacker was using a computer at your company, this is fairly easy. All of your machines probably have static IP address and you should have a network map of the IP address for each office. If the hacker is outside the company, you will have a hard time finding them based on their IP address. This is not impossible though, since the Internet Assigned Number Authority knows who has which IP addresses. (www.iana.org) If the hacker is breaking the law, I believe the police can get information from IANA about where the hacker is located.


This was first published in January 2002

Dig deeper on Lotus Notes Domino Administration Tools

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWindowsServer

Search400

  • iSeries tutorials

    Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...

SearchEnterpriseLinux

SearchDataCenter

SearchExchange

SearchContentManagement

Close