Matt wrote:
>> Do you have any proof of a virus logging in? Couldn't it just be plain ol'
>> keyboard logging and the the person who gets the logs (not your intended
>> users) sends out the spam manually? It's technically possible to write a
>> program that logs in automatically, using any kind of mail interface - not
>> just web mail interfaces, as long as you have the password, but without
>> the password it's a harder nut to crack. The key question is: how do the
>> spammers get the password? If they get it through a broken browser caching
>> the user name and password, fix the broken browser.
>>
>
> I haven't been able to figure out what the name of the virus is,
> yet... however... I doubt it is keyboard logging for the following
> reasons:
>
> 1 - The logins happen from IPs on our network (that is.. someone
> outside didn't capture the login info and then use it).
> 2 - When the user cleans their machine the spam stops going out, even
> if the password is kept the same.
>
> Alot of these users have reported they don't type their
> username/password into webmail, but rather use IE to save it. So the
> virus is getting the username and password out of the IE saved
> password area.
If you can track the IP, and you can separate 1 and 2 above, that would
be helpful. If you are not a network specialist, get someone to help
you. Capture the traffic between the user machine and your web server to
confirm the activity. Then run diagnostics on the client machine
*before* cleaning it. Identify what the process is that is originating
the traffic, pin down the source, and submit it to security forums,
McAfee, etc.
If this really is a virus, it seems it would be known. There are a lot
of security people out there who track this stuff. When the user cleans
their machine, I presume you mean running a virus scan? Don't you get
reports from that? Doesn't it tell you that it found something and what
it found? Then you can look that up on the virus and security sites and
get a detailed analysis of it.
Also, I'm presuming since you can track the IP that you are in fact
looking at the logs on the server and seeing that the hits are against
the web pages. If you haven't confirmed this, and your squirrelmail
server is also your general mail server (which is typical), then it is
possible, and also typical of viruses, that they might simply be
shooting mail out and it is going through your regular mail server
(smtp) without any connection to squirrelmail.
If you are not examining all the logs on the server, then you should be.
If you are not the sysadmin, then get the help of the sysadmin and/or
somone who is a security specialist. Comparing web logs, imap logs, auth
logs, mail logs, will give you a fuller picture of what is going on.
There is not a whole lot that people on the list can tell you without
real due diligence on your part. We can't (or shouldn't be expected to)
dig into your server as root and see what is really going on.
Once you've nailed it down, you have to take action. Clean up all the
computers on your network. Tell your users not to save their logins on
IE. Even tell them not to use IE ("Internet Exploder" if that helps get
the point across). Firefox is more reliable and secure. Configure it to
never save login or form information.
---------------
Chris Hoogendyk
-
O__ ---- Systems Administrator
c/ /'_ --- Biology & Geology Departments
(*) \(*) -- 140 Morrill Science Center
~~~~~~~~~~ - University of Massachusetts, Amherst
<hoogendyk@xxxxxxxxxxxxx>
---------------
Erdös 4
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
--
squirrelmail-users mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
