gwia not receiving anymore

Hi,

we are running groupwise 8 on SLES 10. Everything was working fine until a couple of days ago.

Sudenly we cannot receive mails anymore and when I look into the GWIA log I see lots of entries like this:

16:06:16 200 DMN: MSG 1446207 SMTP session ended: [198.204.232.114] ()
16:06:16 664 DMN: MSG 1446209 SMTP session ended: [198.204.232.114] ()
16:06:16 128 DMN: MSG 1446210 SMTP session ended: [198.204.232.114] ()
16:06:16 816 DMN: MSG 1446211 SMTP session ended: [198.204.232.114] ()

and lots of

16:06:16 968 Successful login with client/server access: 192.168.1.2:1677

where 192.168.1.2 is the server itself with no Groupwise client running.

Do you know what this could be?

Maybe I need to add that we were running gwava also but we removed this to ensure that this is not causing the problem.

Your help is very much appreciated.

b.

Tags:

  • In article <BrucePott.63q41c@no-mx.forums.novell.com>, BrucePott wrote:
    > 16:06:16 816 DMN: MSG 1446211 SMTP session ended: [198.204.232.114] ()

    does that IP have anything to do with your systems? Do you have anything
    to do with DataShack of Kansas?
    Is it consistently that IP?
    What rate are they hitting at? We'd typically look at this in
    entries/minute or even /second if they are suspect.

    > 16:06:16 968 Successful login with client/server access:
    > 192.168.1.2:1677

    in your GWIA log???

    How do these compare to the older logs?

    Is the domain/wpgate/gwia dir growing?
    cd to the wpgate and use "du -hx --max-depth=1" to see current size.

    Have you restarted gwia?


    Andy of
    KonecnyConsulting.ca in Toronto
    Knowledge Partner
    http://forums.novell.com/member.php?userid=75037
    If you find a post helpful and are logged in the Web interface, please
    show your appreciation by clicking on the star below. Thanks!

  • On 24.10.2013 18:26, BrucePott wrote:
    >
    > Hi,
    >
    > we are running groupwise 8 on SLES 10. Everything was working fine until
    > a couple of days ago.
    >
    > Sudenly we cannot receive mails anymore and when I look into the GWIA
    > log I see lots of entries like this:
    >
    > 16:06:16 200 DMN: MSG 1446207 SMTP session ended: [198.204.232.114] ()
    > 16:06:16 664 DMN: MSG 1446209 SMTP session ended: [198.204.232.114] ()
    > 16:06:16 128 DMN: MSG 1446210 SMTP session ended: [198.204.232.114] ()
    > 16:06:16 816 DMN: MSG 1446211 SMTP session ended: [198.204.232.114] ()
    >
    > and lots of
    >
    > 16:06:16 968 Successful login with client/server access:
    > 192.168.1.2:1677


    Unless above IP is one of yours and the machine behind it one of yours
    (which I sort of doubt), then you're under attack by someone who has
    gained knowledge of a working set of groupwise credentials of your
    system. Most likely your GWIA is currently acting a relay host for spam
    messages, and is so busy doing that, that there's no room left for it's
    "real" job.

    Set your logs to verbose on GWIA and POA, and you will see in the POA
    logs *who* is doing the succesful login through the GWIA. Immediately
    alter that accounts password, and for the future, enable intruder
    detection in your GW system.

    CU,
    --
    Massimo Rosen
    Novell Knowledge Partner
    No emails please!
    http://www.cfc-it.de
  • Hi,

    Thanks for your help. I guess we were really hacked, especially since also some other passwords on the system had been changed.

    Anyway, that is solved now.

    Thanks again.

    b.