Solved

Lotus Domino 7 - Find User

Posted on 2014-01-21
18
464 Views
Last Modified: 2014-01-31
I found a users account has been hacked

Problem is I can't find the user on the system

I am looking for   jose

so I can change their password or delete
their account  I can't seem to find that short name
we always used a Longer name, not like, just a first name
0
Comment
Question by:yahoolane
  • 8
  • 6
  • 3
  • +1
18 Comments
 
LVL 13

Expert Comment

by:CRAK
ID: 39799312
Have you tried the (hidden) view "($Users)"?
0
 
LVL 46

Accepted Solution

by:
Sjef Bosman earned 500 total points
ID: 39799358
0
 
LVL 1

Author Comment

by:yahoolane
ID: 39799874
Sjef,

I dont' understand the how to fix,
this user   jose  

on my system,   I really don't want to open every profile
I have tried and still not found it.
0
 
LVL 46

Assisted Solution

by:Sjef Bosman
Sjef Bosman earned 500 total points
ID: 39799901
As I asked in your other question: how do you know the user jose is on your server?? Do you have logs from the server for us to inspect, especially from the Miscellaneous and Mail views?

And did you open the $Users view, as CRAK suggested? click View, then press and hold Ctrl and Shift, and click Go To... in the options. You should see all views, even the hidden ones. Scroll down to ($Users), click it and then Open the view. Search for jose.
0
 
LVL 13

Expert Comment

by:CRAK
ID: 39801321
A few things had come to mind:
- a compromised user account,
- a public form + bot,
- spoofing,
but I wouldn't have guessed from this question that this might have been be an open relay.

I do think this emphasizes Sjefs question: what exactly made you distrust your current security and how did you come acrosse jose?

PS
No need to open every profile if you use the ($Users) view; it contains virtually every name variant of every user. If you use a secondary addressbook (directory), you may have to check that one as well!
0
 
LVL 1

Author Comment

by:yahoolane
ID: 39801598
Help me a little more about
($Users) view

what tab what menu??

I am not a open relay, I tested.

I came across Jose by catching the traffic to the smtp server when
the hack was occurring
and that was the user,  and the password was not strong.
0
 
LVL 46

Assisted Solution

by:Sjef Bosman
Sjef Bosman earned 500 total points
ID: 39801696
I told you above how to open the hidden ($Users) view...
0
 
LVL 1

Assisted Solution

by:yahoolane
yahoolane earned 0 total points
ID: 39804000
Yes, I was able to open the Hidden menu.

and found ($users)  

But no Jose.  was listed.

I doubled checked the Trace dump and it is jose as the username

I have changed password for everyone who first name is 'jose'  

I saw no short ID  names jose
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 39804039
Then show us some Trace dump please, if you do want our assistance but don't want to show us real info from the Domino logs...
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 1

Author Comment

by:yahoolane
ID: 39804079
The Logs don't show much,
they don't give user logging in.

I am going to start a firewall dump again.
see who is knocking.
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 39804166
No, they don't give much logging info, especially not if the mails aren't relayed by the Domino server. If the mails are sent or transferred by the Domino server, there MUST be some log documents in the Mail Routing section. Applying a logical NOT(x) to the statement: if you don't see anything in the mail logs, it isn't sent by Domino!

There are things you can do:
- you can activate Mail Journalling, if you want to capture all mails, or specific mails
- check all ports on the server, to find out if there are multiple mail servers running

Sheesh, you make it very difficult for us: our hands are tied behind our backs, we're blindfolded, all we get are some bits and bobs of information... I very much dislike guessing games.
0
 
LVL 13

Expert Comment

by:CRAK
ID: 39804550
Did you perhaps only witness a login attempt? Those can be quite common. My Domino Web Server Log shows numerous attempts to gain acces through some common php/apache url's.  E.g. <host>/phpMyAdmin/scripts/setup.php. Some url's are completely 'escaped'. I wouldn't be surprised if some attempts include login attempts. 'Jose' wouln't be my 1st choise for such attempts though. ;-)
0
 
LVL 15

Expert Comment

by:akhafaf
ID: 39810131
Hi there,

In order to find the root cause of this problem firstly ,You mentioned  "I found a users account has been hacked" ,,, How did you find the account was hacked ?

Best Wishes
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 39810677
Solved? Ok, great news, but how was it solved??
0
 
LVL 1

Author Closing Comment

by:yahoolane
ID: 39823529
The problem has been solved.
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 39823576
Can you please tell us how you solved the problem??
0
 
LVL 1

Author Comment

by:yahoolane
ID: 39824046
There was no solution,

The answer was to chance the password for  everyone who's first name was jose
and that seem to fix it.

Now that does not make sense since their 'shortname' was not jose.
we use a FL Lastname format..  

So it must be some sort of bug or Feature in Lotus 7
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 39824132
Maybe you should set the Internet Access authentication to "Fewer name variations with higher security". It's in the Server document, Security tab, under Internet Access.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Microsoft has released various new features which are capable of handling various tasks. One of these tasks is ‘Migration from pop3 to Exchange Server’. Pop3 data stores various data along mailboxes like contacts, tasks, etc. So, it becomes the need…
Resolve DNS query failed errors for Exchange
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now