>>> Installed Plugins >>> 1. delete_move_next >>> 2. squirrelspell >>> 3. newmail >>> 4. mpppolicygroup >>> 5. quota_usage >>> >>> Available Plugins: >>> 6. translate >>> 7. compatibility >>> 8. spamcop >>> 9. sent_subfolders >>> 10. check_quota >> >> Version of check_quota plugin? PHP register_globals setting? > > check_quota version 1.4 > register_globals = off OK. We can exclude check_quota. >>> Per some suggetions in the thread I was able to determine that they are >>> not using "mailto.php", but rather compose.php: >>> >>> /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 >>> -0500] >>> "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 >>> "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; >>> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" >> >> Wrong log entry. What you have in logs before this redirection is made >> in >> SquirrelMail. This page only displays notice that message is send. > > In another post, I attached the results of a grep for a specific IP. > >> >> If you know ip of spammer, check all log entries from that ip address. >> You >> must trace whole path. How do they log in? Is there a legit login for >> same >> account at that time? Which pages are opened? > > They appear to emulate a browser, from what I can tell. They are using a > valid username and password apparently culled from an infected PC > somewhere. Which pages? Are they using GET or POST requests? Show whole request sequence used to send emails. Attacker can change IP address, but abuse/attack/exploit methods should be the same. 1. GET or POST request of redirect.php 2. Do you have more than one src/compose.php request before compose.php request with mail_sent=yes? Are they sharing same session information? You might have to increase logging in SquirrelMail in order to detect it. Without increased logging you can suspect it, if different IP addresses are using src/compose.php without hitting src/redirect.php first. >> Have you tried to protect your webmail traffic? Signed SSL certificate >> costs less than 20 USD. > > I'd expect they support SSL on their end, this probably wouldn't make > any difference. It blocks password sniffers that are not on user's machine. User sends password only once per login, but other requests have enough information to hijack user's session in standard PHP session setups. -- Tomas ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
