Highlighted
Absent Member.
Absent Member.
792 views

gwia not receiving anymore

Hi,

we are running groupwise 8 on SLES 10. Everything was working fine until a couple of days ago.

Sudenly we cannot receive mails anymore and when I look into the GWIA log I see lots of entries like this:

16:06:16 200 DMN: MSG 1446207 SMTP session ended: [198.204.232.114] ()
16:06:16 664 DMN: MSG 1446209 SMTP session ended: [198.204.232.114] ()
16:06:16 128 DMN: MSG 1446210 SMTP session ended: [198.204.232.114] ()
16:06:16 816 DMN: MSG 1446211 SMTP session ended: [198.204.232.114] ()

and lots of

16:06:16 968 Successful login with client/server access: 192.168.1.2:1677

where 192.168.1.2 is the server itself with no Groupwise client running.

Do you know what this could be?

Maybe I need to add that we were running gwava also but we removed this to ensure that this is not causing the problem.

Your help is very much appreciated.

b.
Labels (2)
0 Likes
3 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: gwia not receiving anymore

In article <BrucePott.63q41c@no-mx.forums.novell.com>, BrucePott wrote:
> 16:06:16 816 DMN: MSG 1446211 SMTP session ended: [198.204.232.114] ()

does that IP have anything to do with your systems? Do you have anything
to do with DataShack of Kansas?
Is it consistently that IP?
What rate are they hitting at? We'd typically look at this in
entries/minute or even /second if they are suspect.

> 16:06:16 968 Successful login with client/server access:
> 192.168.1.2:1677

in your GWIA log???

How do these compare to the older logs?

Is the domain/wpgate/gwia dir growing?
cd to the wpgate and use "du -hx --max-depth=1" to see current size.

Have you restarted gwia?


Andy of
KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php?userid=75037
If you find a post helpful and are logged in the Web interface, please
show your appreciation by clicking on the star below. Thanks!

___
“i’ve sworn an oath of solitude til the blight is purged from these lands”
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: gwia not receiving anymore

On 24.10.2013 18:26, BrucePott wrote:
>
> Hi,
>
> we are running groupwise 8 on SLES 10. Everything was working fine until
> a couple of days ago.
>
> Sudenly we cannot receive mails anymore and when I look into the GWIA
> log I see lots of entries like this:
>
> 16:06:16 200 DMN: MSG 1446207 SMTP session ended: [198.204.232.114] ()
> 16:06:16 664 DMN: MSG 1446209 SMTP session ended: [198.204.232.114] ()
> 16:06:16 128 DMN: MSG 1446210 SMTP session ended: [198.204.232.114] ()
> 16:06:16 816 DMN: MSG 1446211 SMTP session ended: [198.204.232.114] ()
>
> and lots of
>
> 16:06:16 968 Successful login with client/server access:
> 192.168.1.2:1677


Unless above IP is one of yours and the machine behind it one of yours
(which I sort of doubt), then you're under attack by someone who has
gained knowledge of a working set of groupwise credentials of your
system. Most likely your GWIA is currently acting a relay host for spam
messages, and is so busy doing that, that there's no room left for it's
"real" job.

Set your logs to verbose on GWIA and POA, and you will see in the POA
logs *who* is doing the succesful login through the GWIA. Immediately
alter that accounts password, and for the future, enable intruder
detection in your GW system.

CU,
--
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: gwia not receiving anymore

Hi,

Thanks for your help. I guess we were really hacked, especially since also some other passwords on the system had been changed.

Anyway, that is solved now.

Thanks again.

b.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.