A better fix would be to keep IMail up to date. These were addressed in the
current version
Eric S
----- Original Message -----
From: "dstrz " <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Friday, August 12, 2005 12:37 PM
Subject: Re: [IMail Forum] IMAP service stopping...
FYI -
I am running a fully-patched Win2000 server (SP4 & all critical updates)
and I got hit this morning with this exploit. Someone crashed the IMAP
service and dropped a Trojan (rpcmon.exe) on my server.
My HOSTS file was FUBAR and there were 30-or-so TCP ports listening in the
1100-1130 range, presumably for IRC.
Fortunately those ports are firewalled to the Internet, but I'm still
cleaning up.
I modified the IMAP "Hello Message" to remove any reference to "IMail" in
a security-through-obscurity act of desperation, but of course the
vulnerability still exists. Thanks, Ipswitch!
-Dave
---------------------------
Re: [IMail Forum] IMAP service stopping...
Russ Uhte
Tue, 09 Aug 2005 07:56:20 -0700
Bonno Bloksma wrote:
Hi,
So THAT is the way these trojans are getting into my mailserver...
:-(((( Sophos is getting them but I was unable to find the attac vector.
That's it. According to the source code, it's only a DoS on Windows 2000
SP2 or greater. On anything prior to that, it actually spawns a reverse
shell to the attacker. At that point, you're rooted. If the attacker's
smart enough, you'll never be able to clean that machine without a format
re-install.
Grrrrrrr. So it seesm this bug is only fixed in IMail 8.2 and was never
fixed in earlier versions. Might have been nice of Ipswitch to have a BIG
warning on their site to tell us about his. I had heard about a buffer
overflow in IMail but was unable to verify which parts were vulnerable.
I'll be on the phone with them in a few minutes to see what action I need
to take.
Luckily, I was running SP2 when I got hit, so it was only a DoS for me. I
don't have a bunch of people using IMAP, so I just shut the service down
completely. Obviously that's not an option for a shop that relies heavily
on IMAP. I'm running 8.15, with no plans to upgrade to another version of
IMail. I didn't like the way the company was going, and I sure wasn't
gonna spend more money for a product I didn't believe in.
Let us know what they tell you.
People.... there ARE worms loose using this vulnerability to penetrate the
mailserver. Sophos reports it as Troj/ServU-Gen.
My biggest concern was what if this would have been a POP3 vuln. I would
have been toast. I can't take that chance on my server. Therefore, qmail
:)
Thanks,
Russ
---
[This E-mail scanned for viruses by Declude Virus]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
