Fredrik Jervfors wrote:
Matt wrote:
On 9/7/07, Chris Hoogendyk <hoogendyk@xxxxxxxxxxxxx> wrote:
Matt wrote:
Do you have any proof of a virus logging in? Couldn't it just be
plain ol' keyboard logging and the the person who gets the logs
(not your intended
users) sends out the spam manually? It's technically possible to
write a program that logs in automatically, using any kind of mail
interface - not just web mail interfaces, as long as you have the
password, but without the password it's a harder nut to crack. The
key question is: how do the spammers get the password? If they get
it through a broken browser caching the user name and password,
fix the broken browser.
I haven't been able to figure out what the name of the virus is,
yet... however... I doubt it is keyboard logging for the following
reasons:
1 - The logins happen from IPs on our network (that is.. someone
outside didn't capture the login info and then use it). 2 - When the
user cleans their machine the spam stops going out, even if the
password is kept the same.
Alot of these users have reported they don't type their
username/password into webmail, but rather use IE to save it. So
the virus is getting the username and password out of the IE saved
password area.
If you can track the IP, and you can separate 1 and 2 above, that
would be helpful. If you are not a network specialist, get someone to
help you. Capture the traffic between the user machine and your web
server to confirm the activity. Then run diagnostics on the client
machine *before* cleaning it. Identify what the process is that is
originating the traffic, pin down the source, and submit it to
security forums, McAfee, etc.
If this really is a virus, it seems it would be known. There are a
lot of security people out there who track this stuff. When the user
cleans their machine, I presume you mean running a virus scan? Don't
you get reports from that? Doesn't it tell you that it found something
and what it found? Then you can look that up on the virus and security
sites and get a detailed analysis of it.
Also, I'm presuming since you can track the IP that you are in fact
looking at the logs on the server and seeing that the hits are against
the web pages. If you haven't confirmed this, and your squirrelmail
server is also your general mail server (which is typical), then it
is possible, and also typical of viruses, that they might simply be
shooting mail out and it is going through your regular mail server
(smtp) without any connection to squirrelmail.
If you are not examining all the logs on the server, then you should
be. If you are not the sysadmin, then get the help of the sysadmin
and/or somone who is a security specialist. Comparing web logs, imap
logs, auth logs, mail logs, will give you a fuller picture of what is
going on. There is not a whole lot that people on the list can tell
you without real due diligence on your part. We can't (or shouldn't be
expected to) dig into your server as root and see what is really going
on.
Once you've nailed it down, you have to take action. Clean up all the
computers on your network. Tell your users not to save their logins
on IE. Even tell them not to use IE ("Internet Exploder" if that helps
get the point across). Firefox is more reliable and secure. Configure
it to never save login or form information.
All great advise... except these are users on a broadband and dial-up
network. Being the normal luser... they clean their system with a virus
scanner... say ok it's clean (And it is) but fail to remember or note
what the scanner found.. so I have no idea what virus it is... what I do
know is there was just a large worm that went around, and it
corresponded with that outbreak.
I will have to try a packet capture next time it happens.
The purpose of my post here is not to have others did into my servers.
The purpose was to find out if anyone else is seeing this. I find it
hard to believe no one else is seeing it.... especially since I've seen
other posts with the same question..
So, among all your users, there ought to be at least one who you can ask
to take notes and tell you what the virus scanner said. Is this still
going on? Pick a victim and ask them to take notes and let you know
exactly what happens.
Also, can you tell us what logs you are looking at and what you have
found? (Asking you the same thing I am asking you to ask your users. ;-)
)
If there is doubt coming from others on the list, it is because they
want it nailed down. Saying, "I know this is a virus", doesn't nail it
down. So, do you have full access to the server? Are you the admin? Can
you look at all the log files? Then tell us what you see and which log
files you see it in.
Hi Matt.
Were you ever able to crack this nut? Did you find the name of the virus,
or was it something else causing the problem? I'd love to hear what caused
it, not just that it went away when running a virus/trojan/backdoor
cleaner.
Sincerely,
Fredrik
I'm not sure if he found a way to combat the problem, but I have had the
same issue twice now. In both cases it wasn't a virus/trojan on the
users' machine that was doing the sending, but actually a botnet using
compromised authorization information. In the first bout of this, it was
weak passwords. We corrected all weak passwords on the system, that was
about three months ago.
This time, a users' PC appears to have been infected with a trojan of
some sort which was able to pull their username & password out of
something (suspect IE saved forms), then the botnet used that to relay
mail out of squirrelmail. I've since followed the instructions on the
wiki to turn off autocomplete on the login form.
Obviously, this isn't a bug in squirrelmail, but given the environment
on the internet right now, perhaps one fix might be for the SM team to
re-code whatever is allowing these POST url's to send mail. Turning off
autocomplete might also be a sane default.
Regardless of that, here's a few details on my system:
CentOS 4.5 w/ squirrelmail-1.4.8-4.0.1.el4.centos. Plugins are:
Installed Plugins
1. delete_move_next
2. squirrelspell
3. newmail
4. mpppolicygroup
5. quota_usage
Apache version httpd-2.0.52-32.3.ent.centos4 w/ mod_access_rbl
PHP version php-4.3.9-3.22.9
Some more thoughts:
Per some suggestions in the thread I was able to determine that they are
not using "mailto.php", but rather compose.php:
/var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500]
"GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102
"http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0";
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Nobody can reasonably expect an ISP to keep every single users' PC clean
of trashware constantly, so accordingly there needs to be some way to
mitigate the impact of this type of issue at the common point - the
SquirrelMail installation. It doesn't seem to me like this is a bug or a
security vulnerability in SM since a valid users' password was
compromised, but is there any way to mitigate this type of thing?
I would appreciate any feedback regarding this topic and methods of
mitigating damage done by compromised accounts. I will also answer any
questions that may help develop a method of mitigation.
- Nick Bright
Terra World
http://home.terraworld.net
begin:vcard
fn:Nick Bright
n:Bright;Nick
org:Terra World Communications, LLC
adr:Suite #11;;200 ARCO Place;Independence;KS;67301;USA
email;internet:nick.bright@xxxxxxxxxxxxxx
title:Network Administrator
tel;work:888-332-1616
tel;fax:620-332-1201
x-mozilla-html:FALSE
url:http://home.terraworld.net
version:2.1
end:vcard
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
--
squirrelmail-users mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
