On Fri, Oct 30, 2009 at 2:07 PM, Andrew Daviel <advax@xxxxxxxxx> wrote: > > We had a user account compromised somehow (bad guys got the password). > > The user has changed their password. > How can I kick off any logged-in sessions and make sure they can't login > without knowing the new password ? As others have suggested, restart imapproxy if you use it and grep for PHP session files with the username in them and delete those. That's probably the least intrusive (to any other users) method. > I zapped the security tokes in user prefs (seemed like a good idea) > > BTW, interesting spammer technique - replaced the squirrelmail signature > with the message, then sent empty messages) You can (could have) stopped this almost right away with MTA rate-limiting or by using the Restrict Senders plugin. The Squirrel Logger plugin could also have alerted you to the problem. If the attacker got the password by guessing on the login page, you can use the Lockout and/or CAPTCHA plugins to block such attempts. -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
