Re: Spam Sent From WebMail

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ken A wrote:

Nick Bright wrote:


Per some suggestions in the thread I was able to determine that they are
not using "mailto.php", but rather compose.php:

/var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500]
"GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102
"http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; 
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Are you saying that was the only entry in the log from that IP? They only hit compose.php? If not, what was the sequence of events?
There were many hits from quite a few different IP addresses, and they all looked simmilar to that. I've extracted log entries from that IP address, and attached the file to this message. 

From what I can tell it logs in, then hits compose.php repeatedly.

 - Nick



Ken



Nobody can reasonably expect an ISP to keep every single users' PC clean
of trashware constantly, so accordingly there needs to be some way to
mitigate the impact of this type of issue at the common point - the SquirrelMail installation. It doesn't seem to me like this is a bug or a security vulnerability in SM since a valid users' password was compromised, but is there any way to mitigate this type of thing? 

I would appreciate any feedback regarding this topic and methods of
mitigating damage done by compromised accounts. I will also answer any
questions that may help develop a method of mitigation.

- Nick Bright
  Terra World
  http://home.terraworld.net



196.1.179.183 - - [08/Oct/2007:12:05:31 -0500] "GET /webmail/src/webmail.php HTTP/1.1" 200 1215 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [08/Oct/2007:12:05:33 -0500] "GET /webmail/images/sm_logo.png HTTP/1.1" 200 7396 "http://webmail.terraworld.net/webmail/src/webmail.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [08/Oct/2007:12:06:11 -0500] "GET /webmail/src/login.php HTTP/1.1" 200 12634 "http://webmail.terraworld.net/webmail/src/webmail.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [08/Oct/2007:12:07:01 -0500] "POST /webmail/src/redirect.php HTTP/1.1" 200 1201 "http://webmail.terraworld.net/webmail/src/login.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:26:26 -0500] "GET /webmail/src/webmail.php HTTP/1.1" 200 1215 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:26:28 -0500] "GET /webmail/images/sm_logo.png HTTP/1.1" 200 7396 "http://webmail.terraworld.net/webmail/src/webmail.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:29:22 -0500] "GET /webmail/src/login.php HTTP/1.1" 200 12615 "http://webmail.terraworld.net/webmail/src/webmail.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:30:15 -0500] "POST /webmail/src/redirect.php HTTP/1.1" 302 - "http://webmail.terraworld.net/webmail/src/login.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:30:18 -0500] "GET /webmail/src/webmail.php?right_frame=/webmail/src/webmail.php HTTP/1.1" 200 351 "http://webmail.terraworld.net/webmail/src/login.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:30:21 -0500] "GET /webmail/src/%2Fwebmail%2Fsrc%2Fwebmail.php HTTP/1.1" 404 322 "http://webmail.terraworld.net/webmail/src/webmail.php?right_frame=/webmail/src/webmail.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:30:21 -0500] "GET /webmail/src/left_main.php HTTP/1.1" 200 2876 "http://webmail.terraworld.net/webmail/src/webmail.php?right_frame=/webmail/src/webmail.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:31:35 -0500] "GET /webmail/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX HTTP/1.1" 200 5253 "http://webmail.terraworld.net/webmail/src/left_main.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:31:38 -0500] "GET /webmail/images/down_pointer.png HTTP/1.1" 200 272 "http://webmail.terraworld.net/webmail/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:31:39 -0500] "GET /webmail/images/sort_none.png HTTP/1.1" 200 289 "http://webmail.terraworld.net/webmail/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:31:40 -0500] "GET /webmail/src/options.php HTTP/1.1" 200 6472 "http://webmail.terraworld.net/webmail/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:32:27 -0500] "GET /webmail/src/options.php?optpage=personal HTTP/1.1" 200 36209 "http://webmail.terraworld.net/webmail/src/options.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:32:45 -0500] "GET /webmail/src/options.php?optpage=personal HTTP/1.1" 200 38088 "http://webmail.terraworld.net/webmail/src/options.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:35:06 -0500] "GET /webmail/src/options_identities.php HTTP/1.1" 200 9737 "http://webmail.terraworld.net/webmail/src/options.php?optpage=personal"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:40:31 -0500] "GET /webmail/src/left_main.php HTTP/1.1" 200 2876 "http://webmail.terraworld.net/webmail/src/webmail.php?right_frame=/webmail/src/webmail.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:44:05 -0500] "POST /webmail/src/options_identities.php HTTP/1.1" 200 14158 "http://webmail.terraworld.net/webmail/src/options_identities.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:44:21 -0500] "POST /webmail/src/options_identities.php HTTP/1.1" 200 14158 "http://webmail.terraworld.net/webmail/src/options_identities.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:44:36 -0500] "GET /webmail/src/options.php HTTP/1.1" 200 6472 "http://webmail.terraworld.net/webmail/src/options_identities.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:44:42 -0500] "GET /webmail/src/options.php?optpage=display HTTP/1.1" 200 17922 "http://webmail.terraworld.net/webmail/src/options.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:44:55 -0500] "POST /webmail/src/options.php HTTP/1.1" 200 6644 "http://webmail.terraworld.net/webmail/src/options.php?optpage=display"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:45:03 -0500] "GET /webmail/src/compose.php?mailbox=None&startMessage=0 HTTP/1.1" 200 5087 "http://webmail.terraworld.net/webmail/src/options.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:45:18 -0500] "GET /webmail/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX HTTP/1.1" 200 5133 "http://webmail.terraworld.net/webmail/src/left_main.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:45:22 -0500] "GET /webmail/images/down_pointer.png HTTP/1.1" 200 272 "http://webmail.terraworld.net/webmail/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:45:22 -0500] "GET /webmail/images/sort_none.png HTTP/1.1" 200 289 "http://webmail.terraworld.net/webmail/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:45:26 -0500] "GET /webmail/src/options.php HTTP/1.1" 200 6761 "http://webmail.terraworld.net/webmail/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:46:19 -0500] "GET /webmail/src/options.php?optpage=personal HTTP/1.1" 200 38377 "http://webmail.terraworld.net/webmail/src/options.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:46:57 -0500] "GET /webmail/src/options_identities.php HTTP/1.1" 200 14447 "http://webmail.terraworld.net/webmail/src/options.php?optpage=personal"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:47:16 -0500] "POST /webmail/src/options_identities.php HTTP/1.1" 200 10026 "http://webmail.terraworld.net/webmail/src/options_identities.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:47:54 -0500] "POST /webmail/src/options_identities.php HTTP/1.1" 200 11432 "http://webmail.terraworld.net/webmail/src/options_identities.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:48:14 -0500] "GET /webmail/src/compose.php?mailbox=None&startMessage=0 HTTP/1.1" 200 10140 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:48:17 -0500] "GET /webmail/src/compose.php?mailbox=None&startMessage=0 HTTP/1.1" 200 11723 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:48:27 -0500] "GET /webmail/src/compose.php?mailbox=None&startMessage=0 HTTP/1.1" 200 13306 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:48:29 -0500] "GET /webmail/src/compose.php?mailbox=None&startMessage=0 HTTP/1.1" 200 14889 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:48:34 -0500] "GET /webmail/src/compose.php?mailbox=None&startMessage=0 HTTP/1.1" 200 16472 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:48:40 -0500] "GET /webmail/src/compose.php?mailbox=None&startMessage=0 HTTP/1.1" 200 18055 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:48:45 -0500] "GET /webmail/src/compose.php?mailbox=None&startMessage=0 HTTP/1.1" 200 19638 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:48:52 -0500] "GET /webmail/src/compose.php?mailbox=None&startMessage=0 HTTP/1.1" 200 21221 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:48:52 -0500] "GET /webmail/src/compose.php?mailbox=None&startMessage=0 HTTP/1.1" 200 22804 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:50:34 -0500] "GET /webmail/src/left_main.php HTTP/1.1" 200 2876 "http://webmail.terraworld.net/webmail/src/webmail.php?right_frame=/webmail/src/webmail.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:51:09 -0500] "POST /webmail/src/compose.php HTTP/1.1" 302 - "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:51:16 -0500] "POST /webmail/src/compose.php HTTP/1.1" 302 - "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:51:24 -0500] "POST /webmail/src/compose.php HTTP/1.1" 302 - "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:51:32 -0500] "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 24430 "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:51:41 -0500] "POST /webmail/src/compose.php HTTP/1.1" 302 - "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:51:50 -0500] "POST /webmail/src/compose.php HTTP/1.1" 302 - "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:51:59 -0500] "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 26014 "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:52:09 -0500] "POST /webmail/src/compose.php HTTP/1.1" 302 - "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:52:25 -0500] "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 27598 "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:52:30 -0500] "POST /webmail/src/compose.php HTTP/1.1" 302 - "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:52:59 -0500] "POST /webmail/src/compose.php HTTP/1.1" 302 - "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:53:08 -0500] "POST /webmail/src/compose.php HTTP/1.1" 302 - "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:53:25 -0500] "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 29182 "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:53:31 -0500] "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 30766 "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:53:45 -0500] "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 32350 "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:53:49 -0500] "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 33934 "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:53:56 -0500] "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 35518 "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:21:54:10 -0500] "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:22:00:36 -0500] "GET /webmail/src/left_main.php HTTP/1.1" 200 2782 "http://webmail.terraworld.net/webmail/src/webmail.php?right_frame=/webmail/src/webmail.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:22:10:40 -0500] "GET /webmail/src/left_main.php HTTP/1.1" 200 2782 "http://webmail.terraworld.net/webmail/src/webmail.php?right_frame=/webmail/src/webmail.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
196.1.179.183 - - [07/Oct/2007:22:20:46 -0500] "GET /webmail/src/left_main.php HTTP/1.1" 200 2782 "http://webmail.terraworld.net/webmail/src/webmail.php?right_frame=/webmail/src/webmail.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
[client 196.1.179.183] PHP Notice:  Undefined index:  username in /usr/share/squirrelmail/src/compose.php on line 287, referer: http://webmail.terraworld.net/webmail/src/options.php

begin:vcard
fn:Nick Bright
n:Bright;Nick
org:Terra World Communications, LLC
adr:Suite #11;;200 ARCO Place;Independence;KS;67301;USA
email;internet:nick.bright@xxxxxxxxxxxxxx
title:Network Administrator
tel;work:888-332-1616
tel;fax:620-332-1201
x-mozilla-html:FALSE
url:http://home.terraworld.net
version:2.1
end:vcard


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
--
squirrelmail-users mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
[Index of Archives]     [Video For Linux]     [Yosemite News]     [Yosemite Photos]     [gtk]     [KDE]     [Cyrus SASL]     [Gimp on Windows]     [Steve's Art]     [Webcams]

  Powered by Linux