[SM-USERS] 404 after sending mail
Hi all! After sending an email with squirrelmail i get a 404. Nevertheless the mail is sent and when i reload the page i return to the inbox view. This appears in the apache log: 1.2.3.4 - - [09/Oct/2007:10:02:10 +0200] "GET /etc/squirrelmail//squirrelmail/ src/right_main.php?mailbox=INBOX&sort=0&startMessage=1 HTTP/1.1" 200 4886 "http://www.example.tld/squirrelmail/src/compose.php?mailbox=INBOX&startMessage=1 " "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7" Of course the path /etc/squirrelmail//squirrelmail/ does not exist. Infos about my system: Squirrelmail 1.4.9 on Debian 4.0 (installed via apt-get) Plugins: vlogin php 5.2.0 IMAP: Courier 4.1.1 SMTP: Postfix 2.3.8 Any hints? Jürgen - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent From WebMail
Fredrik Jervfors wrote:
Matt wrote:
On 9/7/07, Chris Hoogendyk <[EMAIL PROTECTED]> wrote:
Matt wrote:
Do you have any proof of a virus logging in? Couldn't it just be
plain ol' keyboard logging and the the person who gets the logs
(not your intended
users) sends out the spam manually? It's technically possible to
write a program that logs in automatically, using any kind of mail
interface - not just web mail interfaces, as long as you have the
password, but without the password it's a harder nut to crack. The
key question is: how do the spammers get the password? If they get
it through a broken browser caching the user name and password,
fix the broken browser.
I haven't been able to figure out what the name of the virus is,
yet... however... I doubt it is keyboard logging for the following
reasons:
1 - The logins happen from IPs on our network (that is.. someone
outside didn't capture the login info and then use it). 2 - When the
user cleans their machine the spam stops going out, even if the
password is kept the same.
Alot of these users have reported they don't type their
username/password into webmail, but rather use IE to save it. So
the virus is getting the username and password out of the IE saved
password area.
If you can track the IP, and you can separate 1 and 2 above, that
would be helpful. If you are not a network specialist, get someone to
help you. Capture the traffic between the user machine and your web
server to confirm the activity. Then run diagnostics on the client
machine *before* cleaning it. Identify what the process is that is
originating the traffic, pin down the source, and submit it to
security forums, McAfee, etc.
If this really is a virus, it seems it would be known. There are a
lot of security people out there who track this stuff. When the user
cleans their machine, I presume you mean running a virus scan? Don't
you get reports from that? Doesn't it tell you that it found something
and what it found? Then you can look that up on the virus and security
sites and get a detailed analysis of it.
Also, I'm presuming since you can track the IP that you are in fact
looking at the logs on the server and seeing that the hits are against
the web pages. If you haven't confirmed this, and your squirrelmail
server is also your general mail server (which is typical), then it
is possible, and also typical of viruses, that they might simply be
shooting mail out and it is going through your regular mail server
(smtp) without any connection to squirrelmail.
If you are not examining all the logs on the server, then you should
be. If you are not the sysadmin, then get the help of the sysadmin
and/or somone who is a security specialist. Comparing web logs, imap
logs, auth logs, mail logs, will give you a fuller picture of what is
going on. There is not a whole lot that people on the list can tell
you without real due diligence on your part. We can't (or shouldn't be
expected to) dig into your server as root and see what is really going
on.
Once you've nailed it down, you have to take action. Clean up all the
computers on your network. Tell your users not to save their logins
on IE. Even tell them not to use IE ("Internet Exploder" if that helps
get the point across). Firefox is more reliable and secure. Configure
it to never save login or form information.
All great advise... except these are users on a broadband and dial-up
network. Being the normal luser... they clean their system with a virus
scanner... say ok it's clean (And it is) but fail to remember or note
what the scanner found.. so I have no idea what virus it is... what I do
know is there was just a large worm that went around, and it
corresponded with that outbreak.
I will have to try a packet capture next time it happens.
The purpose of my post here is not to have others did into my servers.
The purpose was to find out if anyone else is seeing this. I find it
hard to believe no one else is seeing it especially since I've seen
other posts with the same question..
So, among all your users, there ought to be at least one who you can ask
to take notes and tell you what the virus scanner said. Is this still
going on? Pick a victim and ask them to take notes and let you know
exactly what happens.
Also, can you tell us what logs you are looking at and what you have
found? (Asking you the same thing I am asking you to ask your users. ;-)
)
If there is doubt coming from others on the list, it is because they
want it nailed down. Saying, "I know this is a virus", doesn't nail it
down. So, do you have full access to the server? Are you the admin? Can
you look at all the log files? Then tell us what you see and which log
files you see it in.
Hi Matt.
Were you ever able to crack this nut? Did you find the name of the virus,
or was it something else causing the problem? I'd love to hear what caused
it, not just that it went away when running a virus/trojan/backdoor
cleaner.
Sincerely,
Fredrik
I'm not sure if he
Re: [SM-USERS] Spam Sent From WebMail
Nick Bright wrote: > Per some suggestions in the thread I was able to determine that they are > not using "mailto.php", but rather compose.php: > > /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500] > "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 > "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; > > > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" Are you saying that was the only entry in the log from that IP? They only hit compose.php? If not, what was the sequence of events? Ken > > Nobody can reasonably expect an ISP to keep every single users' PC clean > of trashware constantly, so accordingly there needs to be some way to > mitigate the impact of this type of issue at the common point - the > SquirrelMail installation. It doesn't seem to me like this is a bug or a > security vulnerability in SM since a valid users' password was > compromised, but is there any way to mitigate this type of thing? > > I would appreciate any feedback regarding this topic and methods of > mitigating damage done by compromised accounts. I will also answer any > questions that may help develop a method of mitigation. > > - Nick Bright > Terra World > http://home.terraworld.net -- Ken Anderson Pacific.Net - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent From WebMail
Ken A wrote: Nick Bright wrote: Per some suggestions in the thread I was able to determine that they are not using "mailto.php", but rather compose.php: /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500] "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" Are you saying that was the only entry in the log from that IP? They only hit compose.php? If not, what was the sequence of events? There were many hits from quite a few different IP addresses, and they all looked simmilar to that. I've extracted log entries from that IP address, and attached the file to this message. From what I can tell it logs in, then hits compose.php repeatedly. - Nick Ken Nobody can reasonably expect an ISP to keep every single users' PC clean of trashware constantly, so accordingly there needs to be some way to mitigate the impact of this type of issue at the common point - the SquirrelMail installation. It doesn't seem to me like this is a bug or a security vulnerability in SM since a valid users' password was compromised, but is there any way to mitigate this type of thing? I would appreciate any feedback regarding this topic and methods of mitigating damage done by compromised accounts. I will also answer any questions that may help develop a method of mitigation. - Nick Bright Terra World http://home.terraworld.net 196.1.179.183 - - [08/Oct/2007:12:05:31 -0500] "GET /webmail/src/webmail.php HTTP/1.1" 200 1215 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 196.1.179.183 - - [08/Oct/2007:12:05:33 -0500] "GET /webmail/images/sm_logo.png HTTP/1.1" 200 7396 "http://webmail.terraworld.net/webmail/src/webmail.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 196.1.179.183 - - [08/Oct/2007:12:06:11 -0500] "GET /webmail/src/login.php HTTP/1.1" 200 12634 "http://webmail.terraworld.net/webmail/src/webmail.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 196.1.179.183 - - [08/Oct/2007:12:07:01 -0500] "POST /webmail/src/redirect.php HTTP/1.1" 200 1201 "http://webmail.terraworld.net/webmail/src/login.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 196.1.179.183 - - [07/Oct/2007:21:26:26 -0500] "GET /webmail/src/webmail.php HTTP/1.1" 200 1215 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 196.1.179.183 - - [07/Oct/2007:21:26:28 -0500] "GET /webmail/images/sm_logo.png HTTP/1.1" 200 7396 "http://webmail.terraworld.net/webmail/src/webmail.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 196.1.179.183 - - [07/Oct/2007:21:29:22 -0500] "GET /webmail/src/login.php HTTP/1.1" 200 12615 "http://webmail.terraworld.net/webmail/src/webmail.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 196.1.179.183 - - [07/Oct/2007:21:30:15 -0500] "POST /webmail/src/redirect.php HTTP/1.1" 302 - "http://webmail.terraworld.net/webmail/src/login.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 196.1.179.183 - - [07/Oct/2007:21:30:18 -0500] "GET /webmail/src/webmail.php?right_frame=/webmail/src/webmail.php HTTP/1.1" 200 351 "http://webmail.terraworld.net/webmail/src/login.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 196.1.179.183 - - [07/Oct/2007:21:30:21 -0500] "GET /webmail/src/%2Fwebmail%2Fsrc%2Fwebmail.php HTTP/1.1" 404 322 "http://webmail.terraworld.net/webmail/src/webmail.php?right_frame=/webmail/src/webmail.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 196.1.179.183 - - [07/Oct/2007:21:30:21 -0500] "GET /webmail/src/left_main.php HTTP/1.1" 200 2876 "http://webmail.terraworld.net/webmail/src/webmail.php?right_frame=/webmail/src/webmail.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 196.1.179.183 - - [07/Oct/2007:21:31:35 -0500] "GET /webmail/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX HTTP/1.1" 200 5253 "http://webmail.terraworld.net/webmail/src/left_main.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 196.1.179.183 - - [07/Oct/2007:21:31:38 -0500] "GET /webmail/images/down_pointer.png HTTP/1.1" 200 272 "http://webmail.terraworld.net/webmail/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 196.1.179.183 - - [07/Oct/2007:21:31:39 -0500] "GET /webmail/images/sort_none.png HTTP/1.1" 200 289 "http://webmail.terraworld.net/webmail/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 196.1.179.183 - - [07/Oct/2007:21:31:40 -0500] "GET /webmail/src/options.php HTTP/1.1" 200 6472 "http://webmail.terraworld.net/webmail/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 196.1.179.183 - - [07/Oct
[SM-USERS] Problems acessing Files
On Mon, October 8, 2007 20:38, Nuno Parreira wrote: | Hi Dear Sirs, | My name is Nuno, i'm writing you regarding a problem that i have with the | Squirrel Email interface. I really don't know if this is the correct email | to put this kind of problems (probably not), but i try to find everywhere | infrutifurously the correct email adress... Can you please forward to the | correct guys... | Let me first give you my complements for the great job that you have | implemented. | I have implemented on my system the version 1.4.10a of the Squirrel Email. | My Web Server is the Apache 2.0 and PHP version is the 5.0.4. | I have the HmailServer 4.4-B270 (all running in a Windows XP Operating | System). | I only have one problem on this solution. I also have several Web Servers | on my system on several machines. To get the correct traffic for the | correct Web Server i have a Reverse Proxy software (the Fastream IQ). | Everything is working fine except when i request the download of a file | thrue the Reverse Proxy. The file that i receive is a 0 Kb file. It does | not matter what kind of file it is, it could be a zip our a mpg file, the | result is always the same. The only ones that seem to be passing and | managed to be downloaded is the .txt . | I really don't know why this is happening, somewhere on the process the | file vanish. If i try without the Reverse Proxy everything is working | fine. I'm sending you this email because i read somewhere that you had a | similar problem on a earlier version. | The strange thing about this is that i have experimented to install the | Squirrel with the IIS and this feature worked with no problem (but i had | some other incompatibilities and get the Apache working again). | Can you please help me on this issue? | I really don't know what else to do to solve this problem and believe me | that i have waisted a lot of time around this problem before write you | Sirs this email... | Another thing, even if i try to see a picture (a normal .jpg file) on the | browser thrue the "Viewing an image attachment" on the SquirrelMail | interface it does not apear anythig but a small square with a cross | inside. | Please help me to solve this issue. | If you need any more information about the configuration please ask me. | | Thank you very much | | Nuno Parreira | NPJS-Networks | Serviços de Internet - Internet Services | [EMAIL PROTECTED] | [EMAIL PROTECTED] | +351 93 453 2863 | | - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent from WebMail
Sorry to reopen a thread, but I am seeing the same issue as the original poster in this thread: http://sourceforge.net/mailarchive/message.php?msg_id=c11d02530709050557ldb78519i4cdecd1ea08dc368%40mail.gmail.com In that I am seeing spam sent through my SM install, packages are: CentOS 4.5 w/ squirrelmail-1.4.8-4.0.1.el4.centos. Plugins are: Installed Plugins 1. delete_move_next 2. squirrelspell 3. newmail 4. mpppolicygroup 5. quota_usage Available Plugins: 6. translate 7. compatibility 8. spamcop 9. sent_subfolders 10. check_quota 11. filters 12. calendar 13. info 14. message_details 15. listcommands 16. mail_fetch 17. twc_weather 18. show_thumb 19. captcha 20. bug_report 21. fortune 22. lockout 23. administrator 24. addgraphics 25. abook_take Apache version httpd-2.0.52-32.3.ent.centos4 w/ mod_access_rbl PHP version php-4.3.9-3.22.9 Symtoms are: Somehow a botnet operator gets ahold of a valid username and password. I assume through trojan activity. The botnet then proceeds to sent mail through squirrelmail using a *valid* username and password. I think that it is a botnet because the same username has many hits from widely varying IP addresses. Changing the password blocks the spam and stops the behavior. I am certain that this is not a case of forged headers for the same reasons as the OP: Spam shows up in the Sent folder, disabling the account stops the spam, and I see the traffic in the web server logs. We have also been blacklisted on a couple of RBL's due to this issue. Per some suggetions in the thread I was able to determine that they are not using "mailto.php", but rather compose.php: /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500] "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" It doesn't seem to me like this is a bug or a security vulnerability in SM since a valid users' password was compromised, but is there any way to mitigate this type of thing? Nobody can reasonably expect an ISP to keep every single users' PC clean of trashware constantly, so accordingly there needs to be some way to mitigate the impact of this type of issue. This happened once before, but it was an assault against weak passwords in our accounting systems. We cleaned that problem up and as a result installed mod_access_rbl on the web server, which does RBL checks against spamcop - anyone that tries to log in to webmail has to make it past that RBL check, but still this has happened! The total number of spams in the users "Sent" box was only a few hundred, so it seems like the RBL mod helped quite a bit, but still some IP addresses on the botnet were not RBL'd. I would appreciate any feedback regarding this topic and methods of mitigating damage done by compromised accounts. I will also answer any questions that may help develop a method of mitigation. If anyone is interested in the mod_access_rbl, I'm having trouble finding the original page, but I do have a patch file I can send you. - Nick Bright Network Admin Terra World - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
[SM-USERS] Bug Report
I'm not able to CC or add additional addresses when sending email. It gives me a new window. How can I set this back to default? I subscribe to the squirrelmail-users mailing list. [ ] True - No need to CC me when replying [ ] False - Please CC me when replying This bug occurs when I ... ... view a particular message ... use a specific plugin/function ... try to do/view/use The description of the bug: I can reproduce the bug by: (Optional) I got bored and found the bug occurs in: (Optional) I got really bored and here's a fix: -- My browser information: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 My web server information: PHP Version 4.3.2 PHP Extensions (List) * 0 = yp * 1 = xml * 2 = wddx * 3 = tokenizer * 4 = sysvshm * 5 = sysvsem * 6 = standard * 7 = sockets * 8 = shmop * 9 = session * 10 = pspell * 11 = posix * 12 = pcre * 13 = overload * 14 = openssl * 15 = mbstring * 16 = iconv * 17 = gmp * 18 = gettext * 19 = gd * 20 = ftp * 21 = exif * 22 = domxml * 23 = dio * 24 = dbx * 25 = dba * 26 = curl * 27 = ctype * 28 = calendar * 29 = bz2 * 30 = bcmath * 31 = zlib * 32 = apache2filter * 33 = imap * 34 = ldap * 35 = mysql SquirrelMail-specific information: Version: 1.4.4 Plugins (List) * 0 = squirrelspell * 1 = abook_take * 2 = newmail * 3 = sent_subfolders * 4 = mail_fetch * 5 = listcommands * 6 = delete_move_next * 7 = bug_report * 8 = message_details * 9 = administrator * 10 = compatibility * 11 = autocomplete * 12 = abook_import_export * 13 = ldifimport * 14 = address_add * 15 = compose_fix * 16 = sasql * 17 = spam_buttons * 18 = check_quota My IMAP server information: Server type: other Server info: * OK [HIDDEN] IMAP4rev1 SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN LISTEXT LIST-SUBSCRIBED NAMESPACE ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information. Capabilities: IMAP4rev1 SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN LISTEXT LIST-SUBSCRIBED NAMESPACE ACL ACL2=UNION - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent From WebMail
Nick Bright wrote: > Ken A wrote: >> Nick Bright wrote: >> >>> Per some suggestions in the thread I was able to determine that they are >>> not using "mailto.php", but rather compose.php: >>> >>> /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500] >>> "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 >>> "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; >>> >>> >>> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" >> >> >> Are you saying that was the only entry in the log from that IP? They >> only hit compose.php? If not, what was the sequence of events? > > There were many hits from quite a few different IP addresses, and they > all looked simmilar to that. I've extracted log entries from that IP > address, and attached the file to this message. > > From what I can tell it logs in, then hits compose.php repeatedly. That's odd. It really doesn't look like a bot. Perhaps it's using an IE toolbar of some sort to control the browser. There is a CAPTCHA plugin, and a "Password Forget" plugin, but when a bot behaves like a user, it's hard to block without inconveniencing the user. :-\ Ken > > - Nick > >> >> Ken >> >> >>> Nobody can reasonably expect an ISP to keep every single users' PC clean >>> of trashware constantly, so accordingly there needs to be some way to >>> mitigate the impact of this type of issue at the common point - the >>> SquirrelMail installation. It doesn't seem to me like this is a bug >>> or a security vulnerability in SM since a valid users' password was >>> compromised, but is there any way to mitigate this type of thing? >>> >>> I would appreciate any feedback regarding this topic and methods of >>> mitigating damage done by compromised accounts. I will also answer any >>> questions that may help develop a method of mitigation. >>> >>> - Nick Bright >>> Terra World >>> http://home.terraworld.net >> > > > > - > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > > > > -- > squirrelmail-users mailing list > Posting Guidelines: > http://www.squirrelmail.org/wiki/MailingListPostingGuidelines > List Address: squirrelmail-users@lists.sourceforge.net > List Archives: > http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user > List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 > List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users -- Ken Anderson Pacific.Net - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent from WebMail
> CentOS 4.5 w/ squirrelmail-1.4.8-4.0.1.el4.centos. Plugins are: CVE-2006-6142, CVE-2007-1262, CVE-2007-2589. Please note that html filtering functions must be patched to 1.4.10+ level. Having only 1.4.9a patches is not enough. If changelog says that CVE-2006-6142 is fixed, check functions/mime.php and make sure that it is similar to 1.4.10a file and not to 1.4.9a file. > Installed Plugins > 1. delete_move_next > 2. squirrelspell > 3. newmail > 4. mpppolicygroup > 5. quota_usage > > Available Plugins: > 6. translate > 7. compatibility > 8. spamcop > 9. sent_subfolders > 10. check_quota Version of check_quota plugin? PHP register_globals setting? > Per some suggetions in the thread I was able to determine that they are > not using "mailto.php", but rather compose.php: > > /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500] > "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 > "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" Wrong log entry. What you have in logs before this redirection is made in SquirrelMail. This page only displays notice that message is send. If you know ip of spammer, check all log entries from that ip address. You must trace whole path. How do they log in? Is there a legit login for same account at that time? Which pages are opened? Have you tried to protect your webmail traffic? Signed SSL certificate costs less than 20 USD. -- Tomas - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent From WebMail
On 10/9/07, Ken A <[EMAIL PROTECTED]> wrote: > Nick Bright wrote: > > Ken A wrote: > >> Nick Bright wrote: > >> > >>> Per some suggestions in the thread I was able to determine that they are > >>> not using "mailto.php", but rather compose.php: > >>> > >>> /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500] > >>> "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 > >>> "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; > >>> > >>> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > >> > >> > >> Are you saying that was the only entry in the log from that IP? They > >> only hit compose.php? If not, what was the sequence of events? > > > > There were many hits from quite a few different IP addresses, and they > > all looked simmilar to that. I've extracted log entries from that IP > > address, and attached the file to this message. > > > > From what I can tell it logs in, then hits compose.php repeatedly. > > That's odd. It really doesn't look like a bot. I agree - a bot probably wouldn't hit any options pages, etc. > Perhaps it's using an IE > toolbar of some sort to control the browser. There is a CAPTCHA plugin, > and a "Password Forget" plugin, but when a bot behaves like a user, it's > hard to block without inconveniencing the user. :-\ Right. I would suggest the Restrict Senders plugin is what the OP wants if "mitigation" is the goal. "Re-coding whatever is allowing these POST url's to send mail" is meaningless unless you want SM without compose functionality. - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent from WebMail
On 10/9/07, Tomas Kuliavas <[EMAIL PROTECTED]> wrote: > > CentOS 4.5 w/ squirrelmail-1.4.8-4.0.1.el4.centos. Plugins are: > > CVE-2006-6142, CVE-2007-1262, CVE-2007-2589. Please note that html > filtering functions must be patched to 1.4.10+ level. Having only 1.4.9a > patches is not enough. If changelog says that CVE-2006-6142 is fixed, > check functions/mime.php and make sure that it is similar to 1.4.10a file > and not to 1.4.9a file. Yeah, the first thing you do when you have a problem like this is ensure all your software is up to date. I am shocked the OP lets that slip by. > > Installed Plugins > > 1. delete_move_next > > 2. squirrelspell > > 3. newmail > > 4. mpppolicygroup > > 5. quota_usage > > > > Available Plugins: > > 6. translate > > 7. compatibility > > 8. spamcop > > 9. sent_subfolders > > 10. check_quota > > Version of check_quota plugin? PHP register_globals setting? > > > Per some suggetions in the thread I was able to determine that they are > > not using "mailto.php", but rather compose.php: > > > > /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500] > > "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 > > "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; > > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > > Wrong log entry. What you have in logs before this redirection is made in > SquirrelMail. This page only displays notice that message is send. > > If you know ip of spammer, check all log entries from that ip address. You > must trace whole path. How do they log in? Is there a legit login for same > account at that time? Which pages are opened? See the other, original thread about this. The OP should not be creating duplicate threads with identical information in them. > Have you tried to protect your webmail traffic? Signed SSL certificate > costs less than 20 USD. - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Bug Report
On 10/9/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > I'm not able to CC or add additional addresses when sending email. It > gives me a new window. How can I set this back to default? You are using a very very old version of SquirrelMail. Please upgrade before trying anything else. If the problem persists after that, please try to explain the problem better - explain each action you take and its results. > I subscribe to the squirrelmail-users mailing list. > [ ] True - No need to CC me when replying > [ ] False - Please CC me when replying > > This bug occurs when I ... > ... view a particular message > ... use a specific plugin/function > ... try to do/view/use > > > > The description of the bug: > > > I can reproduce the bug by: > > > (Optional) I got bored and found the bug occurs in: > > > (Optional) I got really bored and here's a fix: > > > -- > > My browser information: > Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.12) Gecko/20050915 > Firefox/1.0.7 > > My web server information: > PHP Version 4.3.2 > PHP Extensions (List) > * 0 = yp > * 1 = xml > * 2 = wddx > * 3 = tokenizer > * 4 = sysvshm > * 5 = sysvsem > * 6 = standard > * 7 = sockets > * 8 = shmop > * 9 = session > * 10 = pspell > * 11 = posix > * 12 = pcre > * 13 = overload > * 14 = openssl > * 15 = mbstring > * 16 = iconv > * 17 = gmp > * 18 = gettext > * 19 = gd > * 20 = ftp > * 21 = exif > * 22 = domxml > * 23 = dio > * 24 = dbx > * 25 = dba > * 26 = curl > * 27 = ctype > * 28 = calendar > * 29 = bz2 > * 30 = bcmath > * 31 = zlib > * 32 = apache2filter > * 33 = imap > * 34 = ldap > * 35 = mysql > > SquirrelMail-specific information: > Version: 1.4.4 > Plugins (List) > * 0 = squirrelspell > * 1 = abook_take > * 2 = newmail > * 3 = sent_subfolders > * 4 = mail_fetch > * 5 = listcommands > * 6 = delete_move_next > * 7 = bug_report > * 8 = message_details > * 9 = administrator > * 10 = compatibility > * 11 = autocomplete > * 12 = abook_import_export > * 13 = ldifimport > * 14 = address_add > * 15 = compose_fix > * 16 = sasql > * 17 = spam_buttons > * 18 = check_quota > > My IMAP server information: > Server type: other > Server info: * OK [HIDDEN] IMAP4rev1 SORT THREAD=REFERENCES MULTIAPPEND > UNSELECT LITERAL+ IDLE CHILDREN LISTEXT LIST-SUBSCRIBED NAMESPACE ACL > ACL2=UNION] Courier-IMAP ready. Copyright 1998-2004 Double Precision, > Inc. See COPYING for distribution information. > Capabilities: IMAP4rev1 SORT THREAD=REFERENCES MULTIAPPEND UNSELECT > LITERAL+ IDLE CHILDREN LISTEXT LIST-SUBSCRIBED NAMESPACE ACL ACL2=UNION > - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent From WebMail
Ken A wrote: Nick Bright wrote: Ken A wrote: Nick Bright wrote: Per some suggestions in the thread I was able to determine that they are not using "mailto.php", but rather compose.php: /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500] "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" Are you saying that was the only entry in the log from that IP? They only hit compose.php? If not, what was the sequence of events? There were many hits from quite a few different IP addresses, and they all looked simmilar to that. I've extracted log entries from that IP address, and attached the file to this message. From what I can tell it logs in, then hits compose.php repeatedly. That's odd. It really doesn't look like a bot. Perhaps it's using an IE toolbar of some sort to control the browser. There is a CAPTCHA plugin, and a "Password Forget" plugin, but when a bot behaves like a user, it's hard to block without inconveniencing the user. :-\ Yes that was my take as well, it really looks like a user using webmail but when I go through my AOL mail loop messages they show headers such as: from 81.199.179.36 (proxying for 10.250.50.255)(SquirrelMail authenticated user exploiteduser)by webmail.terraworld.net with HTTP;Thu, 4 Oct 2007 18:57:06 -0500 (CDT) IP Addresses from AOL mail loop: 196.1.179.183 78.138.2.196 41.219.220.2 81.199.179.36 84.254.188.2 88.202.124.6 Where the IP address connecting as user "exploiteduser" varies widely, and the attached message is always the same 'lottry' phishing scam. I suppose it's possible that it's coming from the users' PC (they are on dialup after all), but the IP addresses vary so widely that I seriously doubt that it's one PC. The list is relatively short because I would expect most of the botnet to be listed on RBL's, and my web server blocks based on RBL lookups. - Nick Ken - Nick Ken Nobody can reasonably expect an ISP to keep every single users' PC clean of trashware constantly, so accordingly there needs to be some way to mitigate the impact of this type of issue at the common point - the SquirrelMail installation. It doesn't seem to me like this is a bug or a security vulnerability in SM since a valid users' password was compromised, but is there any way to mitigate this type of thing? I would appreciate any feedback regarding this topic and methods of mitigating damage done by compromised accounts. I will also answer any questions that may help develop a method of mitigation. - Nick Bright Terra World http://home.terraworld.net - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users begin:vcard fn:Nick Bright n:Bright;Nick org:Terra World Communications, LLC adr:Suite #11;;200 ARCO Place;Independence;KS;67301;USA email;internet:[EMAIL PROTECTED] title:Network Administrator tel;work:888-332-1616 tel;fax:620-332-1201 x-mozilla-html:FALSE url:http://home.terraworld.net version:2.1 end:vcard - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/-- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent from WebMail
Tomas Kuliavas wrote: CentOS 4.5 w/ squirrelmail-1.4.8-4.0.1.el4.centos. Plugins are: CVE-2006-6142, CVE-2007-1262, CVE-2007-2589. Please note that html filtering functions must be patched to 1.4.10+ level. Having only 1.4.9a patches is not enough. If changelog says that CVE-2006-6142 is fixed, check functions/mime.php and make sure that it is similar to 1.4.10a file and not to 1.4.9a file. Doesn't seem like it's a security vulnerability in squirrelmail causing this, though your point is valid with regard to the CVE's. Installed Plugins 1. delete_move_next 2. squirrelspell 3. newmail 4. mpppolicygroup 5. quota_usage Available Plugins: 6. translate 7. compatibility 8. spamcop 9. sent_subfolders 10. check_quota Version of check_quota plugin? PHP register_globals setting? check_quota version 1.4 register_globals = off Per some suggetions in the thread I was able to determine that they are not using "mailto.php", but rather compose.php: /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500] "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" Wrong log entry. What you have in logs before this redirection is made in SquirrelMail. This page only displays notice that message is send. In another post, I attached the results of a grep for a specific IP. If you know ip of spammer, check all log entries from that ip address. You must trace whole path. How do they log in? Is there a legit login for same account at that time? Which pages are opened? They appear to emulate a browser, from what I can tell. They are using a valid username and password apparently culled from an infected PC somewhere. Have you tried to protect your webmail traffic? Signed SSL certificate costs less than 20 USD. I'd expect they support SSL on their end, this probably wouldn't make any difference. - Nick Bright begin:vcard fn:Nick Bright n:Bright;Nick org:Terra World Communications, LLC adr:Suite #11;;200 ARCO Place;Independence;KS;67301;USA email;internet:[EMAIL PROTECTED] title:Network Administrator tel;work:888-332-1616 tel;fax:620-332-1201 x-mozilla-html:FALSE url:http://home.terraworld.net version:2.1 end:vcard - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/-- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent From WebMail
Paul Lesniewski wrote: On 10/9/07, Ken A <[EMAIL PROTECTED]> wrote: Nick Bright wrote: Ken A wrote: Nick Bright wrote: Per some suggestions in the thread I was able to determine that they are not using "mailto.php", but rather compose.php: /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500] "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" Are you saying that was the only entry in the log from that IP? They only hit compose.php? If not, what was the sequence of events? There were many hits from quite a few different IP addresses, and they all looked simmilar to that. I've extracted log entries from that IP address, and attached the file to this message. From what I can tell it logs in, then hits compose.php repeatedly. That's odd. It really doesn't look like a bot. I agree - a bot probably wouldn't hit any options pages, etc. Someone else said that they saw the same behavior, and the bot was hitting the options page to change the FROM address and users' name. Perhaps it's using an IE toolbar of some sort to control the browser. There is a CAPTCHA plugin, and a "Password Forget" plugin, but when a bot behaves like a user, it's hard to block without inconveniencing the user. :-\ Right. I would suggest the Restrict Senders plugin is what the OP wants if "mitigation" is the goal. "Re-coding whatever is allowing these POST url's to send mail" is meaningless unless you want SM without compose functionality. I'll look at the restrict senders plugin. My suggestion about not allowing POST to send mail is based on me not knowing anything about how SM works, but the thought of "if they can't craft a URL to send mail and poke it to the server, wouldn't that fix the issue?". Seems like GET should be just as valid, and prevent an injection exploit like this appears to be. Please keep in mind I am not a programmer, just a user, so there's not much good in raking me over the coals with programming arguments. - Nick Bright - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users begin:vcard fn:Nick Bright n:Bright;Nick org:Terra World Communications, LLC adr:Suite #11;;200 ARCO Place;Independence;KS;67301;USA email;internet:[EMAIL PROTECTED] title:Network Administrator tel;work:888-332-1616 tel;fax:620-332-1201 x-mozilla-html:FALSE url:http://home.terraworld.net version:2.1 end:vcard - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/-- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent from WebMail
Paul Lesniewski wrote: On 10/9/07, Tomas Kuliavas <[EMAIL PROTECTED]> wrote: CentOS 4.5 w/ squirrelmail-1.4.8-4.0.1.el4.centos. Plugins are: CVE-2006-6142, CVE-2007-1262, CVE-2007-2589. Please note that html filtering functions must be patched to 1.4.10+ level. Having only 1.4.9a patches is not enough. If changelog says that CVE-2006-6142 is fixed, check functions/mime.php and make sure that it is similar to 1.4.10a file and not to 1.4.9a file. Yeah, the first thing you do when you have a problem like this is ensure all your software is up to date. I am shocked the OP lets that slip by. Perhaps because it was two in the morning I didn't notice that 1.4.9a was quite so old :/ It seems odd to me that the RHEL/CentOS team wouldn't have a more up to date version. I'm sure that the CVE's are patched though. Installed Plugins 1. delete_move_next 2. squirrelspell 3. newmail 4. mpppolicygroup 5. quota_usage Available Plugins: 6. translate 7. compatibility 8. spamcop 9. sent_subfolders 10. check_quota Version of check_quota plugin? PHP register_globals setting? Per some suggetions in the thread I was able to determine that they are not using "mailto.php", but rather compose.php: /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500] "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" Wrong log entry. What you have in logs before this redirection is made in SquirrelMail. This page only displays notice that message is send. If you know ip of spammer, check all log entries from that ip address. You must trace whole path. How do they log in? Is there a legit login for same account at that time? Which pages are opened? See the other, original thread about this. The OP should not be creating duplicate threads with identical information in them. It's all the same thread if you ask me. There were no newer messages in the thread, and I just subscribed to the list, so I created a new message with a link to the old thread in the mailing list archive, and submitted my information. However, after about 36 hours it still hadn't arrived on the list, and someone else replied to the original thread, so I just jumped in. Have you tried to protect your webmail traffic? Signed SSL certificate costs less than 20 USD. - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users begin:vcard fn:Nick Bright n:Bright;Nick org:Terra World Communications, LLC adr:Suite #11;;200 ARCO Place;Independence;KS;67301;USA email;internet:[EMAIL PROTECTED] title:Network Administrator tel;work:888-332-1616 tel;fax:620-332-1201 x-mozilla-html:FALSE url:http://home.terraworld.net version:2.1 end:vcard - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/-- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent From WebMail
I had this exact issue. It ended up being one exploited account. The IP addresses connecting to the account were from various APNIC blocks. I would block one IP and it would move to another... suggesting that it was some kind of bot - however, I added the captcha plugin and they kept logging in! I changed the password on the exploited account and so far it hasn't resurfaced. Brent Ken A wrote: > Nick Bright wrote: >> Ken A wrote: >>> Nick Bright wrote: >>> Per some suggestions in the thread I was able to determine that they are not using "mailto.php", but rather compose.php: /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500] "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMes sage=0" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" >>> >>> Are you saying that was the only entry in the log from that IP? They >>> only hit compose.php? If not, what was the sequence of events? >> There were many hits from quite a few different IP addresses, and they >> all looked simmilar to that. I've extracted log entries from that IP >> address, and attached the file to this message. >> >> From what I can tell it logs in, then hits compose.php repeatedly. > > That's odd. It really doesn't look like a bot. Perhaps it's using an IE > toolbar of some sort to control the browser. There is a CAPTCHA plugin, > and a "Password Forget" plugin, but when a bot behaves like a user, it's > hard to block without inconveniencing the user. :-\ Yes that was my take as well, it really looks like a user using webmail but when I go through my AOL mail loop messages they show headers such as: from 81.199.179.36 (proxying for 10.250.50.255)(SquirrelMail authenticated user exploiteduser)by webmail.terraworld.net with HTTP;Thu, 4 Oct 2007 18:57:06 -0500 (CDT) IP Addresses from AOL mail loop: 196.1.179.183 78.138.2.196 41.219.220.2 81.199.179.36 84.254.188.2 88.202.124.6 Where the IP address connecting as user "exploiteduser" varies widely, and the attached message is always the same 'lottry' phishing scam. I suppose it's possible that it's coming from the users' PC (they are on dialup after all), but the IP addresses vary so widely that I seriously doubt that it's one PC. The list is relatively short because I would expect most of the botnet to be listed on RBL's, and my web server blocks based on RBL lookups. - Nick > > Ken > > >> - Nick >> >>> Ken >>> >>> Nobody can reasonably expect an ISP to keep every single users' PC clean of trashware constantly, so accordingly there needs to be some way to mitigate the impact of this type of issue at the common point - the SquirrelMail installation. It doesn't seem to me like this is a bug or a security vulnerability in SM since a valid users' password was compromised, but is there any way to mitigate this type of thing? I would appreciate any feedback regarding this topic and methods of mitigating damage done by compromised accounts. I will also answer any questions that may help develop a method of mitigation. - Nick Bright Terra World http://home.terraworld.net >> >> >> - >> This SF.net email is sponsored by: Splunk Inc. >> Still grepping through log files to find problems? Stop. >> Now Search log events and configuration files using AJAX and a browser. >> Download your FREE copy of Splunk now >> http://get.splunk.com/ >> >> >> >> >> -- >> squirrelmail-users mailing list >> Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines >> List Address: squirrelmail-users@lists.sourceforge.net >> List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user >> List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 >> List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users > > - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent from WebMail
Nick Bright wrote: > Tomas Kuliavas wrote: >> Have you tried to protect your webmail traffic? Signed SSL certificate >> costs less than 20 USD. > > I'd expect they support SSL on their end, this probably wouldn't make > any difference. The difference is that fewer passwords could easily be stolen if you used & forced SSL. This is certainly relevant. Ken > > - Nick Bright > -- Ken Anderson Pacific.Net - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent From WebMail
On 10/9/07, Nick Bright <[EMAIL PROTECTED]> wrote: > Paul Lesniewski wrote: > > On 10/9/07, Ken A <[EMAIL PROTECTED]> wrote: > >> Nick Bright wrote: > >>> Ken A wrote: > Nick Bright wrote: > > > Per some suggestions in the thread I was able to determine that they are > > not using "mailto.php", but rather compose.php: > > > > /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500] > > "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 > > "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; > > > > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > > Are you saying that was the only entry in the log from that IP? They > only hit compose.php? If not, what was the sequence of events? > >>> There were many hits from quite a few different IP addresses, and they > >>> all looked simmilar to that. I've extracted log entries from that IP > >>> address, and attached the file to this message. > >>> > >>> From what I can tell it logs in, then hits compose.php repeatedly. > >> That's odd. It really doesn't look like a bot. > > > > I agree - a bot probably wouldn't hit any options pages, etc. > > Someone else said that they saw the same behavior, and the bot was > hitting the options page to change the FROM address and users' name. > > > > >> Perhaps it's using an IE > >> toolbar of some sort to control the browser. There is a CAPTCHA plugin, > >> and a "Password Forget" plugin, but when a bot behaves like a user, it's > >> hard to block without inconveniencing the user. :-\ > > > > Right. I would suggest the Restrict Senders plugin is what the OP > > wants if "mitigation" is the goal. "Re-coding whatever is allowing > > these POST url's to send mail" is meaningless unless you want SM > > without compose functionality. > > I'll look at the restrict senders plugin. > > My suggestion about not allowing POST to send mail is based on me not > knowing anything about how SM works, but the thought of "if they can't > craft a URL to send mail and poke it to the server, wouldn't that fix > the issue?". Seems like GET should be just as valid, and prevent an > injection exploit like this appears to be. You yourself seemed to agree it *isn't* an injection exploit. If you are claiming it is, we need evidence to support that. GET is *more* vulnerable in general than POST to various forms of abuse, not to mention that it just wouldn't work for a form with this much data in it. Your problem is exposed passwords, so I don't know why you are suggesting SM's internal mechanism for sending mail be modified. > Please keep in mind I am not a programmer, just a user, so there's not > much good in raking me over the coals with programming arguments. > > - Nick Bright > - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent from WebMail
Ken A wrote: Nick Bright wrote: Tomas Kuliavas wrote: Have you tried to protect your webmail traffic? Signed SSL certificate costs less than 20 USD. I'd expect they support SSL on their end, this probably wouldn't make any difference. The difference is that fewer passwords could easily be stolen if you used & forced SSL. This is certainly relevant. Ken How so? that would only prevent man in the middle attacks, when the problem is almost certainly in a keylogger or trojan on the end users' PC - where the keyboard input isn't encrypted by the SSL certificate. Though yes, I do want to use/force an SSL certificate, I do not agree that it would help with the issue at hand. - Nick Bright begin:vcard fn:Nick Bright n:Bright;Nick org:Terra World Communications, LLC adr:Suite #11;;200 ARCO Place;Independence;KS;67301;USA email;internet:[EMAIL PROTECTED] title:Network Administrator tel;work:888-332-1616 tel;fax:620-332-1201 x-mozilla-html:FALSE url:http://home.terraworld.net version:2.1 end:vcard - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/-- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent From WebMail
Please do NOT top-post and try to use correct reply quoting. On 10/9/07, Brent <[EMAIL PROTECTED]> wrote: > I had this exact issue. It ended up being one exploited account. The IP > addresses connecting to the account were from various APNIC blocks. I would > block one IP and it would move to another... suggesting that it was some > kind of bot - however, I added the captcha plugin and they kept logging in! > I changed the password on the exploited account and so far it hasn't > resurfaced. You might have chosen a weak CAPTCHA mechanism. It might be useful for others if you mention which CAPTCHA backend you used (and if you tried any others). > Per some suggestions in the thread I was able to determine that they > are > not using "mailto.php", but rather compose.php: > > /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 > -0500] > "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 > > "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMes > sage=0" > > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > >>> > >>> Are you saying that was the only entry in the log from that IP? They > >>> only hit compose.php? If not, what was the sequence of events? > >> There were many hits from quite a few different IP addresses, and they > >> all looked simmilar to that. I've extracted log entries from that IP > >> address, and attached the file to this message. > >> > >> From what I can tell it logs in, then hits compose.php repeatedly. > > > > That's odd. It really doesn't look like a bot. Perhaps it's using an IE > > toolbar of some sort to control the browser. There is a CAPTCHA plugin, > > and a "Password Forget" plugin, but when a bot behaves like a user, it's > > hard to block without inconveniencing the user. :-\ > > Yes that was my take as well, it really looks like a user using > webmail but when I go through my AOL mail loop messages they show > headers such as: > > from 81.199.179.36 (proxying for 10.250.50.255)(SquirrelMail > authenticated user exploiteduser)by webmail.terraworld.net with > HTTP;Thu, 4 Oct 2007 18:57:06 -0500 (CDT) > > IP Addresses from AOL mail loop: > 196.1.179.183 > 78.138.2.196 > 41.219.220.2 > 81.199.179.36 > 84.254.188.2 > 88.202.124.6 > > Where the IP address connecting as user "exploiteduser" varies widely, > and the attached message is always the same 'lottry' phishing scam. I > suppose it's possible that it's coming from the users' PC (they are on > dialup after all), but the IP addresses vary so widely that I seriously > doubt that it's one PC. The list is relatively short because I would > expect most of the botnet to be listed on RBL's, and my web server > blocks based on RBL lookups. > > - Nick > > > > > Ken > > > > > >> - Nick > >> > >>> Ken > >>> > >>> > Nobody can reasonably expect an ISP to keep every single users' PC > clean > of trashware constantly, so accordingly there needs to be some way to > mitigate the impact of this type of issue at the common point - the > SquirrelMail installation. It doesn't seem to me like this is a bug > or a security vulnerability in SM since a valid users' password was > compromised, but is there any way to mitigate this type of thing? > > I would appreciate any feedback regarding this topic and methods of > mitigating damage done by compromised accounts. I will also answer any > questions that may help develop a method of mitigation. > > - Nick Bright - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent From WebMail
Brent wrote: > I had this exact issue. It ended up being one exploited account. The IP > addresses connecting to the account were from various APNIC blocks. I would > block one IP and it would move to another... suggesting that it was some > kind of bot - however, I added the captcha plugin and they kept logging in! > I changed the password on the exploited account and so far it hasn't > resurfaced. > > Brent > Perhaps an army of humans rather than bots. Hard to stop. A quick password disable response is a good idea. I've found ossec hids a good tool for this sort of thing, though you'd have to write a rule for this type of thing. http://ossec.net Ken -- Ken Anderson Pacific.Net - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent from WebMail
Nick Bright wrote: > Ken A wrote: >> Nick Bright wrote: >>> Tomas Kuliavas wrote: >> Have you tried to protect your webmail traffic? Signed SSL certificate costs less than 20 USD. >>> I'd expect they support SSL on their end, this probably wouldn't make >>> any difference. >> >> The difference is that fewer passwords could easily be stolen if you >> used & forced SSL. This is certainly relevant. >> Ken > > How so? that would only prevent man in the middle attacks, when the > problem is almost certainly in a keylogger or trojan on the end users' > PC that's an assumption, isn't it.. Good security doesn't work that way. You have to do what you can first, then look around for who to blame when things go wrong. ;-) Ken - where the keyboard input isn't encrypted by the SSL certificate. > > Though yes, I do want to use/force an SSL certificate, I do not agree > that it would help with the issue at hand. > >> >>> - Nick Bright >>> -- Ken Anderson Pacific.Net - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent From WebMail
Paul Lesniewski wrote: Please do NOT top-post and try to use correct reply quoting. On 10/9/07, Brent <[EMAIL PROTECTED]> wrote: I had this exact issue. It ended up being one exploited account. The IP addresses connecting to the account were from various APNIC blocks. I would block one IP and it would move to another... suggesting that it was some kind of bot - however, I added the captcha plugin and they kept logging in! I changed the password on the exploited account and so far it hasn't resurfaced. You might have chosen a weak CAPTCHA mechanism. It might be useful for others if you mention which CAPTCHA backend you used (and if you tried any others). What mechanism do you suggest, I am looking at using this plugin, but there is quite the array of options for mechanisms to use. Per some suggestions in the thread I was able to determine that they are not using "mailto.php", but rather compose.php: /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500] "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMes sage=0" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" Are you saying that was the only entry in the log from that IP? They only hit compose.php? If not, what was the sequence of events? There were many hits from quite a few different IP addresses, and they all looked simmilar to that. I've extracted log entries from that IP address, and attached the file to this message. From what I can tell it logs in, then hits compose.php repeatedly. That's odd. It really doesn't look like a bot. Perhaps it's using an IE toolbar of some sort to control the browser. There is a CAPTCHA plugin, and a "Password Forget" plugin, but when a bot behaves like a user, it's hard to block without inconveniencing the user. :-\ Yes that was my take as well, it really looks like a user using webmail but when I go through my AOL mail loop messages they show headers such as: from 81.199.179.36 (proxying for 10.250.50.255)(SquirrelMail authenticated user exploiteduser)by webmail.terraworld.net with HTTP;Thu, 4 Oct 2007 18:57:06 -0500 (CDT) IP Addresses from AOL mail loop: 196.1.179.183 78.138.2.196 41.219.220.2 81.199.179.36 84.254.188.2 88.202.124.6 Where the IP address connecting as user "exploiteduser" varies widely, and the attached message is always the same 'lottry' phishing scam. I suppose it's possible that it's coming from the users' PC (they are on dialup after all), but the IP addresses vary so widely that I seriously doubt that it's one PC. The list is relatively short because I would expect most of the botnet to be listed on RBL's, and my web server blocks based on RBL lookups. - Nick Ken - Nick Ken Nobody can reasonably expect an ISP to keep every single users' PC clean of trashware constantly, so accordingly there needs to be some way to mitigate the impact of this type of issue at the common point - the SquirrelMail installation. It doesn't seem to me like this is a bug or a security vulnerability in SM since a valid users' password was compromised, but is there any way to mitigate this type of thing? I would appreciate any feedback regarding this topic and methods of mitigating damage done by compromised accounts. I will also answer any questions that may help develop a method of mitigation. - Nick Bright - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users begin:vcard fn:Nick Bright n:Bright;Nick org:Terra World Communications, LLC adr:Suite #11;;200 ARCO Place;Independence;KS;67301;USA email;internet:[EMAIL PROTECTED] title:Network Administrator tel;work:888-332-1616 tel;fax:620-332-1201 x-mozilla-html:FALSE url:http://home.terraworld.net version:2.1 end:vcard - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/-- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gma
Re: [SM-USERS] Spam Sent From WebMail
Paul Lesniewski wrote: On 10/9/07, Nick Bright <[EMAIL PROTECTED]> wrote: Paul Lesniewski wrote: On 10/9/07, Ken A <[EMAIL PROTECTED]> wrote: Nick Bright wrote: Ken A wrote: Nick Bright wrote: Per some suggestions in the thread I was able to determine that they are not using "mailto.php", but rather compose.php: /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500] "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" Are you saying that was the only entry in the log from that IP? They only hit compose.php? If not, what was the sequence of events? There were many hits from quite a few different IP addresses, and they all looked simmilar to that. I've extracted log entries from that IP address, and attached the file to this message. From what I can tell it logs in, then hits compose.php repeatedly. That's odd. It really doesn't look like a bot. I agree - a bot probably wouldn't hit any options pages, etc. Someone else said that they saw the same behavior, and the bot was hitting the options page to change the FROM address and users' name. Perhaps it's using an IE toolbar of some sort to control the browser. There is a CAPTCHA plugin, and a "Password Forget" plugin, but when a bot behaves like a user, it's hard to block without inconveniencing the user. :-\ Right. I would suggest the Restrict Senders plugin is what the OP wants if "mitigation" is the goal. "Re-coding whatever is allowing these POST url's to send mail" is meaningless unless you want SM without compose functionality. I'll look at the restrict senders plugin. My suggestion about not allowing POST to send mail is based on me not knowing anything about how SM works, but the thought of "if they can't craft a URL to send mail and poke it to the server, wouldn't that fix the issue?". Seems like GET should be just as valid, and prevent an injection exploit like this appears to be. You yourself seemed to agree it *isn't* an injection exploit. If you are claiming it is, we need evidence to support that. GET is *more* vulnerable in general than POST to various forms of abuse, not to mention that it just wouldn't work for a form with this much data in it. Your problem is exposed passwords, so I don't know why you are suggesting SM's internal mechanism for sending mail be modified. Then just ignore my comments about the internal mechanisms. As I clearly stated, I have no idea how the guts work, and I'm not a programmer anyways. As far as exploits go yes, there is exploitation going on, but no it doesn't appear to be because of a bug or vulnerability in SM. It's going on because a user got their password swiped. That's a big difference between that and a buffer overrun that lets someone run wild with your system. My attempted suggestion was merely "hey, could this particular method be broken by changing part X". Your answer is obviously "No, it can't", so lets just leave it at that. Please keep in mind I am not a programmer, just a user, so there's not much good in raking me over the coals with programming arguments. - Nick Bright - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users begin:vcard fn:Nick Bright n:Bright;Nick org:Terra World Communications, LLC adr:Suite #11;;200 ARCO Place;Independence;KS;67301;USA email;internet:[EMAIL PROTECTED] title:Network Administrator tel;work:888-332-1616 tel;fax:620-332-1201 x-mozilla-html:FALSE url:http://home.terraworld.net version:2.1 end:vcard - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/-- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/s
Re: [SM-USERS] Spam Sent From WebMail
>>On 10/9/07, Brent <[EMAIL PROTECTED]> wrote: >> I had this exact issue. It ended up being one exploited account. The IP >> addresses connecting to the account were from various APNIC blocks. I would >> block one IP and it would move to another... suggesting that it was some >> kind of bot - however, I added the captcha plugin and they kept logging in! >> I changed the password on the exploited account and so far it hasn't >> resurfaced. Paul Lesniewski wrote: >You might have chosen a weak CAPTCHA mechanism. It might be useful >for others if you mention which CAPTCHA backend you used (and if you >tried any others). I was/am using captcha_php as the backend. I did not try any others. Brent - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent From WebMail
On 10/9/07, Nick Bright <[EMAIL PROTECTED]> wrote: > Paul Lesniewski wrote: > > Please do NOT top-post and try to use correct reply quoting. > > > > On 10/9/07, Brent <[EMAIL PROTECTED]> wrote: > >> I had this exact issue. It ended up being one exploited account. The IP > >> addresses connecting to the account were from various APNIC blocks. I > >> would > >> block one IP and it would move to another... suggesting that it was some > >> kind of bot - however, I added the captcha plugin and they kept logging in! > >> I changed the password on the exploited account and so far it hasn't > >> resurfaced. > > > > You might have chosen a weak CAPTCHA mechanism. It might be useful > > for others if you mention which CAPTCHA backend you used (and if you > > tried any others). > > What mechanism do you suggest, I am looking at using this plugin, but > there is quite the array of options for mechanisms to use. My first suggestion is to use it as part of the Restrict Senders plugin. It only needs to show itself when there is a problem. After that, please read the comments about each mechanism in the config file, research them online and look at each of them in operation yourself. Some are obviously very weak - you'll probably want to avoid those that are notated as such. Please report back your findings to share with others. > >> Per some suggestions in the thread I was able to determine that they > >> are > >> not using "mailto.php", but rather compose.php: > >> > >> /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 > >> -0500] > >> "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 > >> > >> "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMes > >> sage=0" > >> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > > Are you saying that was the only entry in the log from that IP? They > > only hit compose.php? If not, what was the sequence of events? > There were many hits from quite a few different IP addresses, and they > all looked simmilar to that. I've extracted log entries from that IP > address, and attached the file to this message. > > From what I can tell it logs in, then hits compose.php repeatedly. > >>> That's odd. It really doesn't look like a bot. Perhaps it's using an IE > >>> toolbar of some sort to control the browser. There is a CAPTCHA plugin, > >>> and a "Password Forget" plugin, but when a bot behaves like a user, it's > >>> hard to block without inconveniencing the user. :-\ > >> Yes that was my take as well, it really looks like a user using > >> webmail but when I go through my AOL mail loop messages they show > >> headers such as: > >> > >> from 81.199.179.36 (proxying for 10.250.50.255)(SquirrelMail > >> authenticated user exploiteduser)by webmail.terraworld.net with > >> HTTP;Thu, 4 Oct 2007 18:57:06 -0500 (CDT) > >> > >> IP Addresses from AOL mail loop: > >> 196.1.179.183 > >> 78.138.2.196 > >> 41.219.220.2 > >> 81.199.179.36 > >> 84.254.188.2 > >> 88.202.124.6 > >> > >> Where the IP address connecting as user "exploiteduser" varies widely, > >> and the attached message is always the same 'lottry' phishing scam. I > >> suppose it's possible that it's coming from the users' PC (they are on > >> dialup after all), but the IP addresses vary so widely that I seriously > >> doubt that it's one PC. The list is relatively short because I would > >> expect most of the botnet to be listed on RBL's, and my web server > >> blocks based on RBL lookups. > >> > >> - Nick > >> > >>> Ken > >>> > >>> > - Nick > > > Ken > > > > > >> Nobody can reasonably expect an ISP to keep every single users' PC > >> clean > >> of trashware constantly, so accordingly there needs to be some way to > >> mitigate the impact of this type of issue at the common point - the > >> SquirrelMail installation. It doesn't seem to me like this is a bug > >> or a security vulnerability in SM since a valid users' password was > >> compromised, but is there any way to mitigate this type of thing? > >> > >> I would appreciate any feedback regarding this topic and methods of > >> mitigating damage done by compromised accounts. I will also answer any > >> questions that may help develop a method of mitigation. > >> > >> - Nick Bright - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: h
Re: [SM-USERS] Spam Sent From WebMail
On 10/9/07, Paul Lesniewski <[EMAIL PROTECTED]> wrote: > On 10/9/07, Nick Bright <[EMAIL PROTECTED]> wrote: > > Paul Lesniewski wrote: > > > Please do NOT top-post and try to use correct reply quoting. > > > > > > On 10/9/07, Brent <[EMAIL PROTECTED]> wrote: > > >> I had this exact issue. It ended up being one exploited account. The IP > > >> addresses connecting to the account were from various APNIC blocks. I > > >> would > > >> block one IP and it would move to another... suggesting that it was some > > >> kind of bot - however, I added the captcha plugin and they kept logging > > >> in! > > >> I changed the password on the exploited account and so far it hasn't > > >> resurfaced. > > > > > > You might have chosen a weak CAPTCHA mechanism. It might be useful > > > for others if you mention which CAPTCHA backend you used (and if you > > > tried any others). > > > > What mechanism do you suggest, I am looking at using this plugin, but > > there is quite the array of options for mechanisms to use. > > My first suggestion is to use it as part of the Restrict Senders > plugin. It only needs to show itself when there is a problem. Sorry, I meant the Lockout plugin. Restrict Senders should be used to cap the amount of junk that goes out once an attacker has gained access to your SM installation. Lockout in combination with CAPTCHA will provide some security against automated login attacks. > After > that, please read the comments about each mechanism in the config > file, research them online and look at each of them in operation > yourself. Some are obviously very weak - you'll probably want to > avoid those that are notated as such. Please report back your > findings to share with others. > > > > >> Per some suggestions in the thread I was able to determine that they > > >> are > > >> not using "mailto.php", but rather compose.php: > > >> > > >> /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 > > >> -0500] > > >> "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 > > >> > > >> "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMes > > >> sage=0" > > >> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > > > Are you saying that was the only entry in the log from that IP? They > > > only hit compose.php? If not, what was the sequence of events? > > There were many hits from quite a few different IP addresses, and they > > all looked simmilar to that. I've extracted log entries from that IP > > address, and attached the file to this message. > > > > From what I can tell it logs in, then hits compose.php repeatedly. > > >>> That's odd. It really doesn't look like a bot. Perhaps it's using an IE > > >>> toolbar of some sort to control the browser. There is a CAPTCHA plugin, > > >>> and a "Password Forget" plugin, but when a bot behaves like a user, it's > > >>> hard to block without inconveniencing the user. :-\ > > >> Yes that was my take as well, it really looks like a user using > > >> webmail but when I go through my AOL mail loop messages they show > > >> headers such as: > > >> > > >> from 81.199.179.36 (proxying for 10.250.50.255)(SquirrelMail > > >> authenticated user exploiteduser)by webmail.terraworld.net with > > >> HTTP;Thu, 4 Oct 2007 18:57:06 -0500 (CDT) > > >> > > >> IP Addresses from AOL mail loop: > > >> 196.1.179.183 > > >> 78.138.2.196 > > >> 41.219.220.2 > > >> 81.199.179.36 > > >> 84.254.188.2 > > >> 88.202.124.6 > > >> > > >> Where the IP address connecting as user "exploiteduser" varies widely, > > >> and the attached message is always the same 'lottry' phishing scam. I > > >> suppose it's possible that it's coming from the users' PC (they are on > > >> dialup after all), but the IP addresses vary so widely that I seriously > > >> doubt that it's one PC. The list is relatively short because I would > > >> expect most of the botnet to be listed on RBL's, and my web server > > >> blocks based on RBL lookups. > > >> > > >> - Nick > > >> > > >>> Ken > > >>> > > >>> > > - Nick > > > > > Ken > > > > > > > > >> Nobody can reasonably expect an ISP to keep every single users' PC > > >> clean > > >> of trashware constantly, so accordingly there needs to be some way to > > >> mitigate the impact of this type of issue at the common point - the > > >> SquirrelMail installation. It doesn't seem to me like this is a bug > > >> or a security vulnerability in SM since a valid users' password was > > >> compromised, but is there any way to mitigate this type of thing? > > >> > > >> I would appreciate any feedback regarding this topic and methods of > > >> mitigating damage done by compromised accounts. I will also answer > > >> any > > >> questions that may help develop a method of mitigation. > > >> > > >> - Nick Bright > --
Re: [SM-USERS] Spell checking says I'm not logged in?
Tomas Kuliavas wrote: > Tim Hogan wrote: > >> >> Tomas Kuliavas wrote: >> >>> Tim Hogan wrote: >>> >>> I have decided to give SquirrelMail a try and I have install v1.4.11 which seems to be working quite well, with the exception of spell checking. Whether I am going into "SpellChecker Options" or clicking on spell check after typing a message I get the following error; "You must be logged in to access this page." > Could you provide more information about your setup? > 1. PHP session settings > 2. PHP $_SERVER variables > 3. Why are you overriding location base? > > SquirrelSpell plugin is bundled with SquirrelMail. Are you sure that you are > using standard bundled squirrelspell plugin version? Can you reproduce same > issue in standard SquirrelMail 1.4.11 setup with only squirrelspell plugin > enabled? SquirrelSpell plugin uses standard SquirrelMail functions to > validate user session. If plugin fails with "You must be logged", other > plugins will also fail. > > Are you sure that session cookie path is set correctly in browser? Why > session cookie has 'src/' url part in your setup? > > I am not too sure about the PHP stuff but I can tell you that I changed the location base setting only to try and solve this problem. It was previously blank. As for PHP, it is the install out of the port in FreeBSD. I did not make any special changes to it. If I understand what you are looking for here is the session information pulled from a phpinfo script that I have. Session Support enabled Registered save handlersfiles user eaccelerator Registered serializer handlers php php_binary Directive Local Value Master Value session.auto_start Off Off session.bug_compat_42 Off Off session.bug_compat_warn On On session.cache_expire180 180 session.cache_limiter /no value/ /no value/ session.cookie_domain /no value/ /no value/ session.cookie_httponly Off Off session.cookie_lifetime 0 0 session.cookie_path /no value/ /no value/ session.cookie_secure Off Off session.entropy_file/no value/ /no value/ session.entropy_length 16 16 session.gc_divisor 10001000 session.gc_maxlifetime 14401440 session.gc_probability 1 1 session.hash_bits_per_character 5 5 session.hash_function 0 0 session.namePHPSESSID PHPSESSID session.referer_check /no value/ /no value/ session.save_handlerfiles files session.save_path /tmp/tmp session.serialize_handler php php session.use_cookies On On session.use_only_cookiesOff Off session.use_trans_sid 0 0 If this is not what you were looking for then please tell me what to type. Regards, Tim - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Spam Sent from WebMail
>>> Installed Plugins >>> 1. delete_move_next >>> 2. squirrelspell >>> 3. newmail >>> 4. mpppolicygroup >>> 5. quota_usage >>> >>> Available Plugins: >>> 6. translate >>> 7. compatibility >>> 8. spamcop >>> 9. sent_subfolders >>> 10. check_quota >> >> Version of check_quota plugin? PHP register_globals setting? > > check_quota version 1.4 > register_globals = off OK. We can exclude check_quota. >>> Per some suggetions in the thread I was able to determine that they are >>> not using "mailto.php", but rather compose.php: >>> >>> /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 >>> -0500] >>> "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 >>> "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; >>> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" >> >> Wrong log entry. What you have in logs before this redirection is made >> in >> SquirrelMail. This page only displays notice that message is send. > > In another post, I attached the results of a grep for a specific IP. > >> >> If you know ip of spammer, check all log entries from that ip address. >> You >> must trace whole path. How do they log in? Is there a legit login for >> same >> account at that time? Which pages are opened? > > They appear to emulate a browser, from what I can tell. They are using a > valid username and password apparently culled from an infected PC > somewhere. Which pages? Are they using GET or POST requests? Show whole request sequence used to send emails. Attacker can change IP address, but abuse/attack/exploit methods should be the same. 1. GET or POST request of redirect.php 2. Do you have more than one src/compose.php request before compose.php request with mail_sent=yes? Are they sharing same session information? You might have to increase logging in SquirrelMail in order to detect it. Without increased logging you can suspect it, if different IP addresses are using src/compose.php without hitting src/redirect.php first. >> Have you tried to protect your webmail traffic? Signed SSL certificate >> costs less than 20 USD. > > I'd expect they support SSL on their end, this probably wouldn't make > any difference. It blocks password sniffers that are not on user's machine. User sends password only once per login, but other requests have enough information to hijack user's session in standard PHP session setups. -- Tomas - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
