> Matt wrote:
>> On 9/7/07, Chris Hoogendyk <hoogendyk@xxxxxxxxxxxxx> wrote:
>>> Matt wrote:
>>>>> Do you have any proof of a virus logging in? Couldn't it just be
>>>>> plain ol' keyboard logging and the the person who gets the logs
>>>>> (not your intended
>>>>> users) sends out the spam manually? It's technically possible to
>>>>> write a program that logs in automatically, using any kind of mail
>>>>> interface - not just web mail interfaces, as long as you have the
>>>>> password, but without the password it's a harder nut to crack. The
>>>>> key question is: how do the spammers get the password? If they get
>>>>> it through a broken browser caching the user name and password,
>>>>> fix the broken browser.
>>>>>
>>>> I haven't been able to figure out what the name of the virus is,
>>>> yet... however... I doubt it is keyboard logging for the following
>>>> reasons:
>>>>
>>>> 1 - The logins happen from IPs on our network (that is.. someone
>>>> outside didn't capture the login info and then use it). 2 - When the
>>>> user cleans their machine the spam stops going out, even if the
>>>> password is kept the same.
>>>>
>>>> Alot of these users have reported they don't type their
>>>> username/password into webmail, but rather use IE to save it. So
>>>> the virus is getting the username and password out of the IE saved
>>>> password area.
>>>
>>> If you can track the IP, and you can separate 1 and 2 above, that
>>> would be helpful. If you are not a network specialist, get someone to
>>> help you. Capture the traffic between the user machine and your web
>>> server to confirm the activity. Then run diagnostics on the client
>>> machine *before* cleaning it. Identify what the process is that is
>>> originating the traffic, pin down the source, and submit it to
>>> security forums, McAfee, etc.
>>>
>>> If this really is a virus, it seems it would be known. There are a
>>> lot of security people out there who track this stuff. When the user
>>> cleans their machine, I presume you mean running a virus scan? Don't
>>> you get reports from that? Doesn't it tell you that it found something
>>> and what it found? Then you can look that up on the virus and security
>>> sites and get a detailed analysis of it.
>>>
>>> Also, I'm presuming since you can track the IP that you are in fact
>>> looking at the logs on the server and seeing that the hits are against
>>> the web pages. If you haven't confirmed this, and your squirrelmail
>>> server is also your general mail server (which is typical), then it
>>> is possible, and also typical of viruses, that they might simply be
>>> shooting mail out and it is going through your regular mail server
>>> (smtp) without any connection to squirrelmail.
>>>
>>> If you are not examining all the logs on the server, then you should
>>> be. If you are not the sysadmin, then get the help of the sysadmin
>>> and/or somone who is a security specialist. Comparing web logs, imap
>>> logs, auth logs, mail logs, will give you a fuller picture of what is
>>> going on. There is not a whole lot that people on the list can tell
>>> you without real due diligence on your part. We can't (or shouldn't be
>>> expected to) dig into your server as root and see what is really going
>>> on.
>>>
>>> Once you've nailed it down, you have to take action. Clean up all the
>>> computers on your network. Tell your users not to save their logins
>>> on IE. Even tell them not to use IE ("Internet Exploder" if that helps
>>> get the point across). Firefox is more reliable and secure. Configure
>>> it to never save login or form information.
>>
>> All great advise... except these are users on a broadband and dial-up
>> network. Being the normal luser... they clean their system with a virus
>> scanner... say ok it's clean (And it is) but fail to remember or note
>> what the scanner found.. so I have no idea what virus it is... what I do
>> know is there was just a large worm that went around, and it
>> corresponded with that outbreak.
>>
>> I will have to try a packet capture next time it happens.
>>
>> The purpose of my post here is not to have others did into my servers.
>> The purpose was to find out if anyone else is seeing this. I find it
>> hard to believe no one else is seeing it.... especially since I've seen
>> other posts with the same question..
>
> So, among all your users, there ought to be at least one who you can ask
> to take notes and tell you what the virus scanner said. Is this still
> going on? Pick a victim and ask them to take notes and let you know
> exactly what happens.
>
> Also, can you tell us what logs you are looking at and what you have
> found? (Asking you the same thing I am asking you to ask your users. ;-)
> )
>
> If there is doubt coming from others on the list, it is because they
> want it nailed down. Saying, "I know this is a virus", doesn't nail it
> down. So, do you have full access to the server? Are you the admin? Can
> you look at all the log files? Then tell us what you see and which log
> files you see it in.
Hi Matt.
Were you ever able to crack this nut? Did you find the name of the virus,
or was it something else causing the problem? I'd love to hear what caused
it, not just that it went away when running a virus/trojan/backdoor
cleaner.
Sincerely,
Fredrik
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
--
squirrelmail-users mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
