[unisog] FYI - dictionary attack on Squirrelmail

Andrew Daviel advax at triumf.ca
Mon Mar 1 23:01:12 GMT 2010


OK, not really a dictionary attack in the normal sense - the attackers 
knew the usernames.

We just had an incident where someone tried guessing (I presume) 
username=password against about 150 accounts via Squirrelmail over 
HTTP/SSL.

It so happened that someone had set up a couple of multi-user role 
accounts with, yes, username=password, so that the attacker was able to 
send a bunch of spam out on the weekend before we noticed.

In previous Squirrelmail attacks it seemed a user had fallen for a phish 
and sent them a password, which the attackers leveraged to send more 
phish messages. This time it looks like guessing.

A run of John the Ripper found a couple more u=p accounts which we 
disabled.

Carelessness on my part, I guess, and not thinking users could be so 
daft. (well, OK, some years back we did have a public workstation with 
guest=guest and remote login enabled)


-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager


More information about the unisog mailing list