I'm not sure if I am interpreting your reponse correctly. Do you mean... the user's responsibility to keep their existing version up-to-date by applying patches released by Ipswitch to address security vulnerabilities in their software with known exploits in the wild
Or the user's responsibility to open their wallet to the tune of $10,000 (give or take) at the software developer's whim, or whenever they decide to change the definition of "current version." Can you clarify? -Dave -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Shanbrom Sent: Friday, August 12, 2005 3:48 PM To: [email protected] Subject: Re: [IMail Forum] IMAP service stopping... A better fix would be to keep IMail up to date. These were addressed in the current version Eric S ----- Original Message ----- From: "dstrz " <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, August 12, 2005 12:37 PM Subject: Re: [IMail Forum] IMAP service stopping... > FYI - > > I am running a fully-patched Win2000 server (SP4 & all critical updates) > and I got hit this morning with this exploit. Someone crashed the IMAP > service and dropped a Trojan (rpcmon.exe) on my server. > > My HOSTS file was FUBAR and there were 30-or-so TCP ports listening in the > 1100-1130 range, presumably for IRC. > Fortunately those ports are firewalled to the Internet, but I'm still > cleaning up. > > I modified the IMAP "Hello Message" to remove any reference to "IMail" in > a security-through-obscurity act of desperation, but of course the > vulnerability still exists. Thanks, Ipswitch! > > -Dave > > --------------------------- > > Re: [IMail Forum] IMAP service stopping... > Russ Uhte > Tue, 09 Aug 2005 07:56:20 -0700 > Bonno Bloksma wrote: > Hi, > > So THAT is the way these trojans are getting into my mailserver... > :-(((( Sophos is getting them but I was unable to find the attac vector. > > That's it. According to the source code, it's only a DoS on Windows 2000 > SP2 or greater. On anything prior to that, it actually spawns a reverse > shell to the attacker. At that point, you're rooted. If the attacker's > smart enough, you'll never be able to clean that machine without a format > re-install. > > Grrrrrrr. So it seesm this bug is only fixed in IMail 8.2 and was never > fixed in earlier versions. Might have been nice of Ipswitch to have a BIG > warning on their site to tell us about his. I had heard about a buffer > overflow in IMail but was unable to verify which parts were vulnerable. > I'll be on the phone with them in a few minutes to see what action I need > to take. > > Luckily, I was running SP2 when I got hit, so it was only a DoS for me. I > don't have a bunch of people using IMAP, so I just shut the service down > completely. Obviously that's not an option for a shop that relies heavily > on IMAP. I'm running 8.15, with no plans to upgrade to another version of > IMail. I didn't like the way the company was going, and I sure wasn't > gonna spend more money for a product I didn't believe in. > > Let us know what they tell you. > > People.... there ARE worms loose using this vulnerability to penetrate the > mailserver. Sophos reports it as Troj/ServU-Gen. > > My biggest concern was what if this would have been a POP3 vuln. I would > have been toast. I can't take that chance on my server. Therefore, qmail > :) > > Thanks, > Russ > --- > [This E-mail scanned for viruses by Declude Virus] > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
