[unisog] Nigerian scam via squirrelmail
advax at triumf.ca
Sat Oct 24 02:07:38 GMT 2009
Has anyone heard of an active squirrelmail exploit ?
We had an incident that I don't quite understand - a spammer (RIPE says
the ip is in Nigeria - honest!) got into a couple of our accounts and
sent a bunch of "you have won $$" mail. In one case, they edited the
Squirrelmail profile so that the signature was the message and the
sending-address was changed (to a bad address, so I got a lot of
postmaster DSN mail)
We are using a RedHat Enterprise based system; I saw a note about them
fixing a cross-site scripting problem recently. But both our accounts
were very lightly used - unlikely to have been caught with CSS.
Both still had their default passwords which we'd emailed to their
supervisor with instructions to change, but it was a totally random
string (not e.g. username_1), and unlikely to have been reused on Hotmail
or other sites.
The Nigerian host had googled "login example.com", then a day or so later
had gone straight to a successful login on the webmail page over SSL. No
failures, no random messing around. The passwords themselves don't show
up on google (a long shot, I admit)
I'm a bit baffled. It's just possible that the users had malware on their
client that found the "your password is xxxx; please change it" message.
But they don't fit my image of someone always online, no idea what their
computer's running, infected with all sorts of spyware.
I'd have thought if anyone had gotten into our mailstore itself we'd have
seen a whole bunch more serious trouble long since. Unless it's someone
smart lying low.
There is also some evidence that half of the targets for the outgoing
spam are people we normally deal with; the other half are things like
"foobar at a.com". But not on our network - as if the spammers had been able
to examine mail stats or addressbooks. (not the exposed accounts, but
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the unisog