[unisog] FYI - dictionary attack on Squirrelmail
advax at triumf.ca
Mon Mar 1 23:01:12 GMT 2010
OK, not really a dictionary attack in the normal sense - the attackers
knew the usernames.
We just had an incident where someone tried guessing (I presume)
username=password against about 150 accounts via Squirrelmail over
It so happened that someone had set up a couple of multi-user role
accounts with, yes, username=password, so that the attacker was able to
send a bunch of spam out on the weekend before we noticed.
In previous Squirrelmail attacks it seemed a user had fallen for a phish
and sent them a password, which the attackers leveraged to send more
phish messages. This time it looks like guessing.
A run of John the Ripper found a couple more u=p accounts which we
Carelessness on my part, I guess, and not thinking users could be so
daft. (well, OK, some years back we did have a public workstation with
guest=guest and remote login enabled)
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the unisog