Tomas Kuliavas wrote: >>>> Installed Plugins >>>> 1. delete_move_next >>>> 2. squirrelspell >>>> 3. newmail >>>> 4. mpppolicygroup >>>> 5. quota_usage >>>> >>>> Available Plugins: >>>> 6. translate >>>> 7. compatibility >>>> 8. spamcop >>>> 9. sent_subfolders >>>> 10. check_quota >>> Version of check_quota plugin? PHP register_globals setting? >> check_quota version 1.4 >> register_globals = off > > OK. We can exclude check_quota. > >>>> Per some suggetions in the thread I was able to determine that they are >>>> not using "mailto.php", but rather compose.php: >>>> >>>> /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 >>>> -0500] >>>> "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 >>>> "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; >>>> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" >>> Wrong log entry. What you have in logs before this redirection is made >>> in >>> SquirrelMail. This page only displays notice that message is send. >> In another post, I attached the results of a grep for a specific IP. >> >>> If you know ip of spammer, check all log entries from that ip address. >>> You >>> must trace whole path. How do they log in? Is there a legit login for >>> same >>> account at that time? Which pages are opened? >> They appear to emulate a browser, from what I can tell. They are using a >> valid username and password apparently culled from an infected PC >> somewhere. > > Which pages? Are they using GET or POST requests? Show whole request > sequence used to send emails. Attacker can change IP address, but > abuse/attack/exploit methods should be the same. > > 1. GET or POST request of redirect.php > 2. Do you have more than one src/compose.php request before compose.php > request with mail_sent=yes? I already sent a message to the list with a log attached, on 10/9 around 11:23am CST. To avoid reposting the same information, could you look at that message, or reply to me off list and I can send you the file. To summarize: GET webmail.php GET sm_logo.php GET login.php POST redirect.php GET webmail.php GET %2Fwebmail%2Fsrc%2Fwebmail.php (I thought this one was odd) GET left_main.php GET right_main.php GET options.php GET options.php?optpage=personal GET options_identities.php POST options_identities.php GET options.php POST options.php GET compose.php?mailbox=None&startMessage=0 <repeats> POST compose.php "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; <repeats> GET compose.php?mail_sent=yes <repeats> > > Are they sharing same session information? You might have to increase > logging in SquirrelMail in order to detect it. Without increased logging > you can suspect it, if different IP addresses are using src/compose.php > without hitting src/redirect.php first. > >>> Have you tried to protect your webmail traffic? Signed SSL certificate >>> costs less than 20 USD. >> I'd expect they support SSL on their end, this probably wouldn't make >> any difference. > > It blocks password sniffers that are not on user's machine. User sends > password only once per login, but other requests have enough information > to hijack user's session in standard PHP session setups. > ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
