[imp] possible bug? or a determined script kiddie?

Joseph W. Breu breu at cfu.net
Tue May 22 04:09:24 UTC 2007


Hi All,

Over the past week, we have noticed that several of the email accounts  
on our system have been compromised via webmail.  The compromised  
accounts have been used as spam sources and we have been added to a  
couple blacklists for our trouble.  I am pretty sure that the accounts  
were compromised because of weak passwords and not a vulnerbility in  
IMP IMAP authentication.  We are using Horde/IMP with IMP  
authentication via IMAP.

We have seen the attacker login to a compromised account and use IMP  
to send a ton of spam.  I haven't been able to track down the attack  
vector and would appreciate any help the community could offer.  If  
this is off-topic, then please delete.

We have seen this in the access_log:
81.199.179.7 - - [17/May/2007:07:49:26 -0500] "POST  
/imp/compose.php?uniq=3gtq9scybhic HTTP/1.0" 200 888  
"http://webmail.cfu.net/imp/compose.php" "Mozilla/4.0 (compatible;  
MSIE 6.0; Windows NT 5.0; Crazy Browser 2.0.1)"
81.199.179.7 - - [17/May/2007:07:50:01 -0500] "POST  
/imp/compose.php?uniq=3zsby4nwfug HTTP/1.0" 200 888  
"http://webmail.cfu.net/imp/compose.php" "Mozilla/4.0 (compatible;  
MSIE 6.0; Windows NT 5.0; Crazy Browser 2.0.1)"
81.199.179.7 - - [17/May/2007:07:50:47 -0500] "GET /imp/compose.php  
HTTP/1.0" 200 8359  
"http://webmail.cfu.net/imp/compose.php?uniq=3zsby4nwfug" "Mozilla/4.0  
(compatible; MSIE 6.0; Windows NT 5.0; Crazy Browser 2.0.1)"
81.199.179.7 - - [17/May/2007:07:50:54 -0500] "GET /imp/compose.php  
HTTP/1.0" 200 8361  
"http://webmail.cfu.net/imp/compose.php?uniq=3gtq9scybhic"  
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Crazy Browser  
2.0.1)"
81.199.179.7 - - [17/May/2007:07:51:25 -0500] "GET /imp/expand.php  
HTTP/1.0" 200 243 "http://webmail.cfu.net/imp/compose.php"  
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Crazy Browser  
2.0.1)"
81.199.179.7 - - [17/May/2007:07:51:51 -0500] "POST  
/imp/compose.php?uniq=wk57zrr0edw HTTP/1.0" 200 8362  
"http://webmail.cfu.net/imp/compose.php" "Mozilla/4.0 (compatible;  
MSIE 6.0; Windows NT 5.0; Crazy Browser 2.0.1)"
81.199.179.7 - - [17/May/2007:07:52:13 -0500] "POST  
/imp/compose.php?uniq=wk57zrr0edw HTTP/1.0" 200 888  
"http://webmail.cfu.net/imp/compose.php" "Mozilla/4.0 (compatible;  
MSIE 6.0; Windows NT 5.0; Crazy Browser 2.0.1)"

Please reply off-list if you have any ideas.  We have instituted some  
checks to reject HTTP connects from hosts that match a certain  
criteria for failed logins or number of messages sent from webmail -  
but it is obviously not a perfect solution.

On a side note - we have seen an increase in spam from other  
compromised webmail hosts as well.



Thanks,

---------------------------------------------------------
Joseph W. Breu, CCNA              phone : +1.319.268.5228
Senior Network Administrator        fax : +1.319.266.8158
Cedar Falls Utilities              cell : +1.319.493.1686
support: +1.319.268.5221         url : http://www.cfu.net



More information about the imp mailing list