SMTPWIN reg_sz 20,20,524,350
We saw this repeated not only for my account but a half dozen others under 20 or so domains. We also saw that same key associated with the "USERS" folder in the registry under many domains (not necessarily the same ones) and as an entry in a handful of "valid" user accounts (ie. 30 other keys under the user PLUS this one key).
Is anyone familiar with it? I've been looking for info on it, can't find anything. I wonder if it is a form of exploit, etc....
I found the thread in June 04 discussing this:
[IMail Forum] Possible Imail Hack??
http://www.mail-archive.com/[email protected]/msg85375.html
as well as: [IMail Forum] "Double Root" problem... (FYI ???) http://www.mail-archive.com/[email protected]/msg26363.htmlbut I did not find any resolution there.
I searched Google and got a link to warex.mdb. I pulled it down but couldn't open it... Nothing in the Ipswitch base either.
Since I started writing this, a couple of more popped back into the registry, same users, wrong domains.
AND there are 5 copies of IMail1.exe running in task manager (one of the postings asked this question).
Any suggestions?
At 03:25 PM 11/29/2005, you wrote:
I don't think so, but we'll go through and double check. Good tip. Thanks
At 02:51 PM 11/29/2005, you wrote:
The admin account may have been compromised. Through webmail. Does an
account have domain admin access and web access???
Kevin
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Ulrich
> Sent: Tuesday, November 29, 2005 11:36 AM
> To: [email protected]
> Subject: [IMail Forum] Phantom Postmaster accounts?
>
>
> We checked two of the domains on our server and, under USERS, we see:
>
> p
> po
> pos
> post
> postm
> postma
> postmas
> postmast
> postmaste
> postmaster
>
> as POP accounts.... I don't know if this is the result of a
> hack attempt,
> a glitch in IMail or something else.
>
> Has anyone seen this previously? Our mail server is behind a firewall,
> only HTTP, Port 25 and 110 access, so I'm not *overly* concerned that
> someone is terminal servicing in to the box. But I use "overly" pretty
> losely right now....
>
> Has anyone seen anything like this previously?
>
> Thanks
>
>
>
> To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
> List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
> ---
> [This E-mail scanned for viruses by Declude Virus]
>
>
>
---
[This E-mail scanned for viruses by Declude Virus]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
