Matt wrote:
> On 9/7/07, Chris Hoogendyk <hoogendyk@xxxxxxxxxxxxx> wrote:
>
>> Matt wrote:
>>
>>>> Do you have any proof of a virus logging in? Couldn't it just be plain ol'
>>>> keyboard logging and the the person who gets the logs (not your intended
>>>> users) sends out the spam manually? It's technically possible to write a
>>>> program that logs in automatically, using any kind of mail interface - not
>>>> just web mail interfaces, as long as you have the password, but without
>>>> the password it's a harder nut to crack. The key question is: how do the
>>>> spammers get the password? If they get it through a broken browser caching
>>>> the user name and password, fix the broken browser.
>>>>
>>>>
>>> I haven't been able to figure out what the name of the virus is,
>>> yet... however... I doubt it is keyboard logging for the following
>>> reasons:
>>>
>>> 1 - The logins happen from IPs on our network (that is.. someone
>>> outside didn't capture the login info and then use it).
>>> 2 - When the user cleans their machine the spam stops going out, even
>>> if the password is kept the same.
>>>
>>> Alot of these users have reported they don't type their
>>> username/password into webmail, but rather use IE to save it. So the
>>> virus is getting the username and password out of the IE saved
>>> password area.
>>>
>> If you can track the IP, and you can separate 1 and 2 above, that would
>> be helpful. If you are not a network specialist, get someone to help
>> you. Capture the traffic between the user machine and your web server to
>> confirm the activity. Then run diagnostics on the client machine
>> *before* cleaning it. Identify what the process is that is originating
>> the traffic, pin down the source, and submit it to security forums,
>> McAfee, etc.
>>
>> If this really is a virus, it seems it would be known. There are a lot
>> of security people out there who track this stuff. When the user cleans
>> their machine, I presume you mean running a virus scan? Don't you get
>> reports from that? Doesn't it tell you that it found something and what
>> it found? Then you can look that up on the virus and security sites and
>> get a detailed analysis of it.
>>
>> Also, I'm presuming since you can track the IP that you are in fact
>> looking at the logs on the server and seeing that the hits are against
>> the web pages. If you haven't confirmed this, and your squirrelmail
>> server is also your general mail server (which is typical), then it is
>> possible, and also typical of viruses, that they might simply be
>> shooting mail out and it is going through your regular mail server
>> (smtp) without any connection to squirrelmail.
>>
>> If you are not examining all the logs on the server, then you should be.
>> If you are not the sysadmin, then get the help of the sysadmin and/or
>> somone who is a security specialist. Comparing web logs, imap logs, auth
>> logs, mail logs, will give you a fuller picture of what is going on.
>> There is not a whole lot that people on the list can tell you without
>> real due diligence on your part. We can't (or shouldn't be expected to)
>> dig into your server as root and see what is really going on.
>>
>> Once you've nailed it down, you have to take action. Clean up all the
>> computers on your network. Tell your users not to save their logins on
>> IE. Even tell them not to use IE ("Internet Exploder" if that helps get
>> the point across). Firefox is more reliable and secure. Configure it to
>> never save login or form information.
>>
>>
>>
>> ---------------
>>
>> Chris Hoogendyk
>>
>> -
>>
>
> All great advise... except these are users on a broadband and dial-up
> network. Being the normal luser... they clean their system with a
> virus scanner... say ok it's clean (And it is) but fail to remember or
> note what the scanner found.. so I have no idea what virus it is...
> what I do know is there was just a large worm that went around, and it
> corresponded with that outbreak.
>
> I will have to try a packet capture next time it happens.
>
> The purpose of my post here is not to have others did into my servers.
> The purpose was to find out if anyone else is seeing this. I find it
> hard to believe no one else is seeing it.... especially since I've
> seen other posts with the same question..
So, among all your users, there ought to be at least one who you can ask
to take notes and tell you what the virus scanner said. Is this still
going on? Pick a victim and ask them to take notes and let you know
exactly what happens.
Also, can you tell us what logs you are looking at and what you have
found? (Asking you the same thing I am asking you to ask your users. ;-) )
If there is doubt coming from others on the list, it is because they
want it nailed down. Saying, "I know this is a virus", doesn't nail it
down. So, do you have full access to the server? Are you the admin? Can
you look at all the log files? Then tell us what you see and which log
files you see it in.
---------------
Chris Hoogendyk
-
O__ ---- Systems Administrator
c/ /'_ --- Biology & Geology Departments
(*) \(*) -- 140 Morrill Science Center
~~~~~~~~~~ - University of Massachusetts, Amherst
<hoogendyk@xxxxxxxxxxxxx>
---------------
Erdös 4
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
--
squirrelmail-users mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
