Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 481
  • Last Modified:

Lotus Domino 7 - Find User

I found a users account has been hacked

Problem is I can't find the user on the system

I am looking for   jose

so I can change their password or delete
their account  I can't seem to find that short name
we always used a Longer name, not like, just a first name
0
yahoolane
Asked:
yahoolane
  • 8
  • 6
  • 3
  • +1
4 Solutions
 
CRAKCommented:
Have you tried the (hidden) view "($Users)"?
0
 
Sjef BosmanGroupware ConsultantCommented:
0
 
yahoolaneAuthor Commented:
Sjef,

I dont' understand the how to fix,
this user   jose  

on my system,   I really don't want to open every profile
I have tried and still not found it.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
Sjef BosmanGroupware ConsultantCommented:
As I asked in your other question: how do you know the user jose is on your server?? Do you have logs from the server for us to inspect, especially from the Miscellaneous and Mail views?

And did you open the $Users view, as CRAK suggested? click View, then press and hold Ctrl and Shift, and click Go To... in the options. You should see all views, even the hidden ones. Scroll down to ($Users), click it and then Open the view. Search for jose.
0
 
CRAKCommented:
A few things had come to mind:
- a compromised user account,
- a public form + bot,
- spoofing,
but I wouldn't have guessed from this question that this might have been be an open relay.

I do think this emphasizes Sjefs question: what exactly made you distrust your current security and how did you come acrosse jose?

PS
No need to open every profile if you use the ($Users) view; it contains virtually every name variant of every user. If you use a secondary addressbook (directory), you may have to check that one as well!
0
 
yahoolaneAuthor Commented:
Help me a little more about
($Users) view

what tab what menu??

I am not a open relay, I tested.

I came across Jose by catching the traffic to the smtp server when
the hack was occurring
and that was the user,  and the password was not strong.
0
 
Sjef BosmanGroupware ConsultantCommented:
I told you above how to open the hidden ($Users) view...
0
 
yahoolaneAuthor Commented:
Yes, I was able to open the Hidden menu.

and found ($users)  

But no Jose.  was listed.

I doubled checked the Trace dump and it is jose as the username

I have changed password for everyone who first name is 'jose'  

I saw no short ID  names jose
0
 
Sjef BosmanGroupware ConsultantCommented:
Then show us some Trace dump please, if you do want our assistance but don't want to show us real info from the Domino logs...
0
 
yahoolaneAuthor Commented:
The Logs don't show much,
they don't give user logging in.

I am going to start a firewall dump again.
see who is knocking.
0
 
Sjef BosmanGroupware ConsultantCommented:
No, they don't give much logging info, especially not if the mails aren't relayed by the Domino server. If the mails are sent or transferred by the Domino server, there MUST be some log documents in the Mail Routing section. Applying a logical NOT(x) to the statement: if you don't see anything in the mail logs, it isn't sent by Domino!

There are things you can do:
- you can activate Mail Journalling, if you want to capture all mails, or specific mails
- check all ports on the server, to find out if there are multiple mail servers running

Sheesh, you make it very difficult for us: our hands are tied behind our backs, we're blindfolded, all we get are some bits and bobs of information... I very much dislike guessing games.
0
 
CRAKCommented:
Did you perhaps only witness a login attempt? Those can be quite common. My Domino Web Server Log shows numerous attempts to gain acces through some common php/apache url's.  E.g. <host>/phpMyAdmin/scripts/setup.php. Some url's are completely 'escaped'. I wouldn't be surprised if some attempts include login attempts. 'Jose' wouln't be my 1st choise for such attempts though. ;-)
0
 
akhafafCommented:
Hi there,

In order to find the root cause of this problem firstly ,You mentioned  "I found a users account has been hacked" ,,, How did you find the account was hacked ?

Best Wishes
0
 
Sjef BosmanGroupware ConsultantCommented:
Solved? Ok, great news, but how was it solved??
0
 
yahoolaneAuthor Commented:
The problem has been solved.
0
 
Sjef BosmanGroupware ConsultantCommented:
Can you please tell us how you solved the problem??
0
 
yahoolaneAuthor Commented:
There was no solution,

The answer was to chance the password for  everyone who's first name was jose
and that seem to fix it.

Now that does not make sense since their 'shortname' was not jose.
we use a FL Lastname format..  

So it must be some sort of bug or Feature in Lotus 7
0
 
Sjef BosmanGroupware ConsultantCommented:
Maybe you should set the Internet Access authentication to "Fewer name variations with higher security". It's in the Server document, Security tab, under Internet Access.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 8
  • 6
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now