Your message dated Mon, 19 Dec 2005 01:33:31 +0100 (CET)
with message-id <[EMAIL PROTECTED]>
and subject line Bug#342155: Squirrelmail
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 5 Dec 2005 21:19:51 +0000
>From [EMAIL PROTECTED] Mon Dec 05 13:19:51 2005
Return-path: <[EMAIL PROTECTED]>
Received: from www.heureka.co.at ([81.223.104.146])
by spohr.debian.org with esmtp (Exim 4.50)
id 1EjNkU-0002lf-SI
for [EMAIL PROTECTED]; Mon, 05 Dec 2005 13:19:51 -0800
Received: from chello062178169039.13.14.vie.surfer.at ([62.178.169.39]
helo=Ulrich)
by www.heureka.co.at with esmtp (Exim 3.35 1 (Debian))
id 1EjNkR-0005kL-00
for <[EMAIL PROTECTED]>; Mon, 05 Dec 2005 22:19:47 +0100
Message-ID: <[EMAIL PROTECTED]>
From: "Ulrich Huber" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Squirrelmail
Date: Mon, 5 Dec 2005 22:19:45 +0100
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2527
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
X-heureka.co.at-MailScanner: Found to be clean
X-heureka.co.at-MailScanner-SpamCheck: not spam, SpamAssassin (Wertung=-10,
benoetigt 4, FROM_HEUREKA -10.00)
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.5 required=4.0 tests=HAS_PACKAGE,ONEWORD,
RCVD_IN_SORBS autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: Squirrelmail
Version 1.4.4-6sarge1
I think there might be a security Problem with squirrelmail. I got 2
different servers hacked, both of them have the following apperaing in the
logfiles:
210.95.202.253 - - [03/Dec/2005:02:59:29 +0100]
"z`0\x01J\xaa\x02`\xb9\xe7\x92\x88z\x05\x9c\xd4?\x88E\xb5\x80\v" 501 - "-"
"-"
127.0.0.1 - - [03/Dec/2005:03:00:26 +0100] "GET /server-status?auto
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
127.0.0.1 - - [03/Dec/2005:03:00:32 +0100] "GET /server-status?auto
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
127.0.0.1 - - [03/Dec/2005:03:00:37 +0100] "GET /server-status?auto
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
210.95.202.253 - - [03/Dec/2005:03:04:10 +0100]
"z`0\x01J\xaa\x02`\xb9\xe7\x92\x88z\x05\x9c\xd4?\x88E\xb5\x80\x0f" 501 - "-"
"-"
172.183.72.111 - - [03/Dec/2005:03:04:46 +0100] "GET / HTTP/1.1" 200 316 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
172.183.72.111 - - [03/Dec/2005:03:04:48 +0100] "GET
/squirrelmail/src/login.php HTTP/1.1" 200 2247 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1; S
127.0.0.1 - - [03/Dec/2005:03:05:26 +0100] "GET /server-status?auto
HTTP/1.1" 200 4295 "-" "libwww-perl/5.803"
127.0.0.1 - - [03/Dec/2005:03:05:32 +0100] "GET /server-status?auto
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
127.0.0.1 - - [03/Dec/2005:03:05:37 +0100] "GET /server-status?auto
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
127.0.0.1 - - [03/Dec/2005:03:10:26 +0100] "GET /server-status?auto
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
127.0.0.1 - - [03/Dec/2005:03:10:31 +0100] "GET /server-status?auto
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
127.0.0.1 - - [03/Dec/2005:03:10:35 +0100] "GET /server-status?auto
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
127.0.0.1 - - [03/Dec/2005:03:15:26 +0100] "GET /server-status?auto
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
127.0.0.1 - - [03/Dec/2005:03:15:31 +0100] "GET /server-status?auto
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
127.0.0.1 - - [03/Dec/2005:03:15:36 +0100] "GET /server-status?auto
HTTP/1.1" 200 4296 "-" "libwww-perl/5.803"
172.183.72.111 - - [03/Dec/2005:03:16:27 +0100] "GET
/squirrelmail/src/.us/cmd-run=/login.htm HTTP/1.1" 200 11305 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Win
172.183.72.111 - - [03/Dec/2005:03:16:27 +0100] "GET
/squirrelmail/src/.us/cmd-run=/gen_validatorv2.js HTTP/1.1" 200 11909 "
195.93.60.15 - - [03/Dec/2005:03:16:45 +0100] "GET
/squirrelmail/src/.us/cmd-run=/login.htmhttp://mail.pfisterer.at/squirrelmail/src/.us/cmd-run=/login.htm
H
195.93.60.9 - - [03/Dec/2005:03:17:31 +0100] "GET / HTTP/1.0" 200 316 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; AOL 9.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322
195.93.60.114 - - [03/Dec/2005:03:17:33 +0100] "GET
/squirrelmail/src/login.php HTTP/1.0" 200 2235 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; AOL 9.0; Windows N
195.93.60.15 - - [03/Dec/2005:03:17:55 +0100] "GET
/squirrelmail/src/.us/cmd-run=/login.htmhttp://mail.pfisterer.at/squirrelmail/src/.us/cmd-run=/login.htm
H
195.93.60.78 - - [03/Dec/2005:03:17:58 +0100] "GET
/squirrelmail/src/.us/cmd-run=/login.htm HTTP/1.0" 200 11305 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; AOL 9
195.93.60.7 - - [03/Dec/2005:03:18:01 +0100] "GET
/squirrelmail/src/.us/cmd-run=/gen_validatorv2.js HTTP/1.0" 200 11909 "
172.183.72.111 - - [03/Dec/2005:03:20:26 +0100] "GET
/squirrelmail/src/.us/cmd-run=/login.htm HTTP/1.1" 200 11290 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Win
and some minutes later, there was a phishing Website installed in
/usr/share/squirrelmail/src/ with a directory .us/ and some stuff below ....
As I got no idea what else could have happend...maybe you can help ....
regards
Ulrich
---------------------------------------
Received: (at 342155-done) by bugs.debian.org; 19 Dec 2005 00:33:33 +0000
>From [EMAIL PROTECTED] Sun Dec 18 16:33:33 2005
Return-path: <[EMAIL PROTECTED]>
Received: from aphrodite.asd.jaze.nl ([82.94.246.244] helo=aphrodite.jaze.net)
by spohr.debian.org with esmtp (Exim 4.50)
id 1Eo8y4-0005z9-SQ
for [EMAIL PROTECTED]; Sun, 18 Dec 2005 16:33:33 -0800
Received: from localhost (localhost.localdomain [127.0.0.1])
by aphrodite.jaze.net (Postfix) with ESMTP id E170016F48C
for <[EMAIL PROTECTED]>; Mon, 19 Dec 2005 01:33:31 +0100 (CET)
Received: from aphrodite.jaze.net ([127.0.0.1])
by localhost (aphrodite [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 23705-36 for <[EMAIL PROTECTED]>;
Mon, 19 Dec 2005 01:33:31 +0100 (CET)
Received: from wm.kinkhorst.com (localhost.localdomain [127.0.0.1])
by aphrodite.jaze.net (Postfix) with ESMTP id 18DC916F481
for <[EMAIL PROTECTED]>; Mon, 19 Dec 2005 01:33:31 +0100 (CET)
Received: from 145.99.151.133
(SquirrelMail authenticated user tklists)
by wm.kinkhorst.com with HTTP;
Mon, 19 Dec 2005 01:33:31 +0100 (CET)
Message-ID: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
Date: Mon, 19 Dec 2005 01:33:31 +0100 (CET)
Subject: Re: Bug#342155: Squirrelmail
From: "Thijs Kinkhorst" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
User-Agent: SquirrelMail/1.5.1 [CVS]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at aphrodite.jaze.net
Content-Transfer-Encoding: quoted-printable
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.5 required=4.0 tests=BAYES_30,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
On Tue, December 6, 2005 11:58, Thijs Kinkhorst wrote:
>> I think there might be a security Problem with squirrelmail. I got 2
>> different servers hacked, both of them have the following apperaing in
>> the logfiles:
> Therefore, I think you are probably hacked in some other way, and
> possibly then the malicious dir was installed under /usr/share. The log=
s
> then show that someone used it.
>
> In any case you should discontinue using those systems immediately and
> do a full reinstall, since someone has had root-level access. If you ne=
ed
> more support for solving that problem, this bug report is not the right
> place; you could try a mailinglist or hiring a consultant.
Since the problem is in no way related to our package, I'm closing this b=
ug.
Thijs
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
