On 2012-06-11 16:50, Giles Coochey wrote: > On 11/06/2012 16:30, Bumo wrote: >> Hi, I have a frontend server on a DMZ running RH ES 3 up3 and >> squirrelmail 1.4.8. php 4.3.2 >> Thousand of email were sent in two occasions and the only evidence >> of the abuse was on the access_log (squirrel_logger) an entry from the >> ip which was sending the messages. >> >> >> There was no evidence of brute force attack. Infact there weren't >> many entry in access_log of failed logging. Well I don't know if this >> is enough to say that I wasn't under a brute force attack. >> >> However now I'm asking myself if a spammer, getting the login >> credential in squirrelmail (IMAP auth toward the local imap server) >> can send thousand of email in an automatic way. >> Temporarily I blocked the original ip range at firewall level but I >> think this can only delay the next attack. >> >> >> I'm working on lockout plugin and captcha, but before going on, I >> should know if in this case squirrel is the weakest part of this >> puzzle. >> >> Any suggestion? >> >> Thanks in advance, >> Leo >> > Goodness... > > upgrade: > > Redhat ES3 ES3 update 3 (released 2004 - 8 years old) > Squirrelmail 1.4.8 (released 2006 - 6 years old) > & PHP 4.3.2 (released 2003 - 9 years old) > > There must be any number of vulnerabilities for that system. > http://squirrelmail.org/security/ http://secunia.com/advisories/product/2535/?task=advisories http://www.xatrix.org/article/multiple-php4-5-vulnerabilities/4369/ Just a number of google searches after a couple of minutes looking... It wouldn't surprise me that if someone ran any form of reasonably recent vulnerability scanner / pentesting tool against your server that it would show up something. If cost is an issue to upgrading your base RedHat then perhaps you should look at a OSS alternative such as CentOS. Some have suggested MTA Rate Limiting, and implementing SSL - all good suggestions, but the main weakness here is that it doesn't appear that anyone is managing the software installed on this server - if this has been running with sendmail / apache visible to the world for the last 8 years or so then I would expect that the server has been completely compromised. I would back up the user data and go back to a bare metal install, with a recent base Operating System. -- Regards, Giles Coochey, CCNA, CCNA Security NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk giles@xxxxxxxxxxx ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
