tags moreinfo unreproducible thanks On Mon, 2005-12-05 at 22:19 +0100, Ulrich Huber wrote: > Package: Squirrelmail > Version 1.4.4-6sarge1 > > I think there might be a security Problem with squirrelmail. I got 2 > different servers hacked, both of them have the following apperaing in the > logfiles:
> and some minutes later, there was a phishing Website installed in > /usr/share/squirrelmail/src/ with a directory .us/ and some stuff below .... > > As I got no idea what else could have happend...maybe you can help .... Hello Ulrich, I highly doubt that the problem is SquirrelMail here, for the following reasons: - SquirrelMail doesn't ship a .us dir (or any dot-dirs) in its package. - The web server does not have write access to /usr/share, only root has that, so it is impossible to write to that dir by just doing requests, or even, by doing anything at all with squirrelmail. - The requests you supply do not indicate placing that dir there at all, they just show that it's being used. Therefore, I think you are probably hacked in some other way, and possibly then the malicious dir was installed under /usr/share. The logs then show that someone used it. In any case you should discontinue using those systems immediately and do a full reinstall, since someone has had root-level access. If you need more support for solving that problem, this bug report is not the right place; you could try a mailinglist or hiring a consultant. Good luck! Thijs Kinkhorst
signature.asc
Description: This is a digitally signed message part
