[imp] possible bug? or a determined script kiddie?
Joseph W. Breu
breu at cfu.net
Tue May 22 04:09:24 UTC 2007
Hi All,
Over the past week, we have noticed that several of the email accounts
on our system have been compromised via webmail. The compromised
accounts have been used as spam sources and we have been added to a
couple blacklists for our trouble. I am pretty sure that the accounts
were compromised because of weak passwords and not a vulnerbility in
IMP IMAP authentication. We are using Horde/IMP with IMP
authentication via IMAP.
We have seen the attacker login to a compromised account and use IMP
to send a ton of spam. I haven't been able to track down the attack
vector and would appreciate any help the community could offer. If
this is off-topic, then please delete.
We have seen this in the access_log:
81.199.179.7 - - [17/May/2007:07:49:26 -0500] "POST
/imp/compose.php?uniq=3gtq9scybhic HTTP/1.0" 200 888
"http://webmail.cfu.net/imp/compose.php" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.0; Crazy Browser 2.0.1)"
81.199.179.7 - - [17/May/2007:07:50:01 -0500] "POST
/imp/compose.php?uniq=3zsby4nwfug HTTP/1.0" 200 888
"http://webmail.cfu.net/imp/compose.php" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.0; Crazy Browser 2.0.1)"
81.199.179.7 - - [17/May/2007:07:50:47 -0500] "GET /imp/compose.php
HTTP/1.0" 200 8359
"http://webmail.cfu.net/imp/compose.php?uniq=3zsby4nwfug" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.0; Crazy Browser 2.0.1)"
81.199.179.7 - - [17/May/2007:07:50:54 -0500] "GET /imp/compose.php
HTTP/1.0" 200 8361
"http://webmail.cfu.net/imp/compose.php?uniq=3gtq9scybhic"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Crazy Browser
2.0.1)"
81.199.179.7 - - [17/May/2007:07:51:25 -0500] "GET /imp/expand.php
HTTP/1.0" 200 243 "http://webmail.cfu.net/imp/compose.php"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Crazy Browser
2.0.1)"
81.199.179.7 - - [17/May/2007:07:51:51 -0500] "POST
/imp/compose.php?uniq=wk57zrr0edw HTTP/1.0" 200 8362
"http://webmail.cfu.net/imp/compose.php" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.0; Crazy Browser 2.0.1)"
81.199.179.7 - - [17/May/2007:07:52:13 -0500] "POST
/imp/compose.php?uniq=wk57zrr0edw HTTP/1.0" 200 888
"http://webmail.cfu.net/imp/compose.php" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.0; Crazy Browser 2.0.1)"
Please reply off-list if you have any ideas. We have instituted some
checks to reject HTTP connects from hosts that match a certain
criteria for failed logins or number of messages sent from webmail -
but it is obviously not a perfect solution.
On a side note - we have seen an increase in spam from other
compromised webmail hosts as well.
Thanks,
---------------------------------------------------------
Joseph W. Breu, CCNA phone : +1.319.268.5228
Senior Network Administrator fax : +1.319.266.8158
Cedar Falls Utilities cell : +1.319.493.1686
support: +1.319.268.5221 url : http://www.cfu.net
More information about the imp
mailing list