|
Don,
I didn't create a ticket for it with Declude but they
do read the Declude list. I had this problem when the Sober virus started about
a year ago and worked with IMail support but then that virus went
mostly dormant. When it came back again things just added up. Some people still
think it's a hacked server and rebuilding may fix the problem but I don't think
this problem is that. I don't know why some people have this problem and others
don't, but that's computers. Hopefully enough people will have this same pattern
of problem and it will get fixed. Until then I'm glad the workaround is working
for people that try the solution.
Your welcome,
Mike
Mike,
I am running Declude your solution fixed it!
I have been running for several days now without a repeat of the problem.
How did come up with this solution??!! Is Declude aware of this
and are they doing anything about it?
Thanks for the help,
Don
----- Original Message -----
Sent: Monday, January 02, 2006 9:39
AM
Subject: RE: [IMail Forum] Strange
Registry Key - SMTPWIN - appears to be a hack / trojan / ...
Don,
Are you running Declude also? If so:
I have been seeing this for a while but only here
and there. Recently I have noticed an increase in these registry
keys.
When I see this happen, a username from one
domain will appear in several other unrelated domains in the registry.
It is usually one or two usernames one time and a different set of
username others. As reported by others, there is only a single
SMTPWIN key. I am not convince it is a hack or a trojan. My gut
tells me that there is a problem with IMail but I don't have anything to
substantiate that claim.
I am running RegMon and will report back with any
results.
Has anyone else gotten anywhere in tracking down
this issue? I did find a new article in the knowledge base
(http://support.ipswitch.com/kb/IM-20051229-DM03.htm) that describes in
general what this key is used for but does not address it as a
problem.
TIA,
Don
----- Original Message -----
Sent: Tuesday, November 29, 2005 5:03
PM
Subject: [IMail Forum] Strange Registry
Key - SMTPWIN - appears to be a hack / trojan / ...
As a follow up to the earlier problem we went through the
registry cleaner tool to identify any possible cross-linked accounts,
etc. We cleaned up a few problems. However, what we did find is
that a half dozen user accounts (ie., mine, "culrich") now appeared under 20
different domains that it should appear in. We went into the registry
and found that there was a single registry entry for my
account:
SMTPWIN reg_sz
20,20,524,350
We saw this repeated not only for my account but a half
dozen others under 20 or so domains. We also saw that same key
associated with the "USERS" folder in the registry under many domains (not
necessarily the same ones) and as an entry in a handful of "valid" user
accounts (ie. 30 other keys under the user PLUS this one key).
Is
anyone familiar with it? I've been looking for info on it, can't find
anything. I wonder if it is a form of exploit, etc....
I found
the thread in June 04 discussing this:
[IMail Forum] Possible Imail
Hack??
http://www.mail-archive.com/[email protected]/msg85375.html
as
well as: [IMail
Forum] "Double Root" problem... (FYI ???) http://www.mail-archive.com/[email protected]/msg26363.htmlbut
I did not find any resolution there.
I searched Google and got a link
to warex.mdb. I pulled it down but couldn't open it... Nothing
in the Ipswitch base either.
Since I started writing this, a
couple of more popped back into the registry, same users, wrong
domains.
AND there are 5 copies of IMail1.exe running in task manager
(one of the postings asked this question).
Any
suggestions?
At 03:25 PM 11/29/2005,
you wrote:
I don't think so, but we'll go
through and double check. Good tip. Thanks
At 02:51
PM 11/29/2005, you wrote:
The admin account may have
been compromised. Through webmail. Does an
account have domain admin
access and web access???
Kevin
> -----Original
Message-----
> From: [EMAIL PROTECTED]
>
[mailto:[EMAIL PROTECTED]]On
Behalf Of Chris Ulrich
> Sent: Tuesday, November 29, 2005 11:36
AM
> To: [email protected]
> Subject: [IMail
Forum] Phantom Postmaster accounts?
>
>
> We checked
two of the domains on our server and, under USERS, we
see:
>
> p
> po
> pos
> post
>
postm
> postma
> postmas
> postmast
>
postmaste
> postmaster
>
> as POP
accounts.... I don't know if this is the result of a
>
hack attempt,
> a glitch in IMail or something
else.
>
> Has anyone seen this previously? Our mail
server is behind a firewall,
> only HTTP, Port 25 and 110 access,
so I'm not *overly* concerned that
> someone is terminal servicing
in to the box. But I use "overly" pretty
> losely right
now....
>
> Has anyone seen anything like this
previously?
>
> Thanks
>
>
>
> To
Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
>
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
>
---
> [This E-mail scanned for viruses by Declude
Virus]
>
>
>
---
[This E-mail scanned for
viruses by Declude Virus]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List
Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge
Base/FAQ: http://www.ipswitch.com/support/IMail/
To
Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List
Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge
Base/FAQ: http://www.ipswitch.com/support/IMail/
|
