Bug#342155: Squirrelmail

Mon, 05 Dec 2005 13:48:15 -0800 

Package: Squirrelmail
Version 1.4.4-6sarge1
I think there might be a security Problem with squirrelmail. I got 2 different servers hacked, both of them have the following apperaing in the logfiles: 


210.95.202.253 - - [03/Dec/2005:02:59:29 +0100] 
"z`0\x01J\xaa\x02`\xb9\xe7\x92\x88z\x05\x9c\xd4?\x88E\xb5\x80\v" 501 - "-" 
"-"
127.0.0.1 - - [03/Dec/2005:03:00:26 +0100] "GET /server-status?auto 
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
127.0.0.1 - - [03/Dec/2005:03:00:32 +0100] "GET /server-status?auto 
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
127.0.0.1 - - [03/Dec/2005:03:00:37 +0100] "GET /server-status?auto 
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
210.95.202.253 - - [03/Dec/2005:03:04:10 +0100] 
"z`0\x01J\xaa\x02`\xb9\xe7\x92\x88z\x05\x9c\xd4?\x88E\xb5\x80\x0f" 501 - "-" 
"-"
172.183.72.111 - - [03/Dec/2005:03:04:46 +0100] "GET / HTTP/1.1" 200 316 "-" 
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
172.183.72.111 - - [03/Dec/2005:03:04:48 +0100] "GET 
/squirrelmail/src/login.php HTTP/1.1" 200 2247 "-" "Mozilla/4.0 (compatible; 
MSIE 6.0; Windows NT 5.1; S
127.0.0.1 - - [03/Dec/2005:03:05:26 +0100] "GET /server-status?auto 
HTTP/1.1" 200 4295 "-" "libwww-perl/5.803"
127.0.0.1 - - [03/Dec/2005:03:05:32 +0100] "GET /server-status?auto 
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
127.0.0.1 - - [03/Dec/2005:03:05:37 +0100] "GET /server-status?auto 
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
127.0.0.1 - - [03/Dec/2005:03:10:26 +0100] "GET /server-status?auto 
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
127.0.0.1 - - [03/Dec/2005:03:10:31 +0100] "GET /server-status?auto 
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
127.0.0.1 - - [03/Dec/2005:03:10:35 +0100] "GET /server-status?auto 
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
127.0.0.1 - - [03/Dec/2005:03:15:26 +0100] "GET /server-status?auto 
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
127.0.0.1 - - [03/Dec/2005:03:15:31 +0100] "GET /server-status?auto 
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
127.0.0.1 - - [03/Dec/2005:03:15:36 +0100] "GET /server-status?auto 
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
172.183.72.111 - - [03/Dec/2005:03:16:27 +0100] "GET 
/squirrelmail/src/.us/cmd-run=/login.htm HTTP/1.1" 200 11305 "-" 
"Mozilla/4.0 (compatible; MSIE 6.0; Win
172.183.72.111 - - [03/Dec/2005:03:16:27 +0100] "GET 
/squirrelmail/src/.us/cmd-run=/gen_validatorv2.js HTTP/1.1" 200 11909 "
195.93.60.15 - - [03/Dec/2005:03:16:45 +0100] "GET 
/squirrelmail/src/.us/cmd-run=/login.htmhttp://mail.pfisterer.at/squirrelmail/src/.us/cmd-run=/login.htm 
H
195.93.60.9 - - [03/Dec/2005:03:17:31 +0100] "GET / HTTP/1.0" 200 316 "-" 
"Mozilla/4.0 (compatible; MSIE 6.0; AOL 9.0; Windows NT 5.1; SV1; .NET CLR 
1.1.4322
195.93.60.114 - - [03/Dec/2005:03:17:33 +0100] "GET 
/squirrelmail/src/login.php HTTP/1.0" 200 2235 "-" "Mozilla/4.0 (compatible; 
MSIE 6.0; AOL 9.0; Windows N
195.93.60.15 - - [03/Dec/2005:03:17:55 +0100] "GET 
/squirrelmail/src/.us/cmd-run=/login.htmhttp://mail.pfisterer.at/squirrelmail/src/.us/cmd-run=/login.htm 
H
195.93.60.78 - - [03/Dec/2005:03:17:58 +0100] "GET 
/squirrelmail/src/.us/cmd-run=/login.htm HTTP/1.0" 200 11305 "-" 
"Mozilla/4.0 (compatible; MSIE 6.0; AOL 9
195.93.60.7 - - [03/Dec/2005:03:18:01 +0100] "GET 
/squirrelmail/src/.us/cmd-run=/gen_validatorv2.js HTTP/1.0" 200 11909 "
172.183.72.111 - - [03/Dec/2005:03:20:26 +0100] "GET 
/squirrelmail/src/.us/cmd-run=/login.htm HTTP/1.1" 200 11290 "-" 
"Mozilla/4.0 (compatible; MSIE 6.0; Win



and some minutes later, there was a phishing Website installed in 
/usr/share/squirrelmail/src/ with a directory .us/ and some stuff below ....


As I got no idea what else could have happend...maybe you can help ....

regards


Ulrich




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]























					Reply via email to