On 2012-06-11 16:50, Giles Coochey wrote:
> On 11/06/2012 16:30, Bumo wrote:
>> Hi, I have a frontend server on a DMZ running RH ES 3 up3 and
>> squirrelmail 1.4.8. php 4.3.2
>> Thousand of email were sent in two occasions and the only evidence
>> of the abuse was on the access_log (squirrel_logger) an entry from the
>> ip which was sending the messages.
>> There was no evidence of brute force attack. Infact there weren't
>> many entry in access_log of failed logging. Well I don't know if this
>> is enough to say that I wasn't under a brute force attack.
>> However now I'm asking myself if a spammer, getting the login
>> credential in squirrelmail (IMAP auth toward the local imap server)
>> can send thousand of email in an automatic way.
>> Temporarily I blocked the original ip range at firewall level but I
>> think this can only delay the next attack.
>> I'm working on lockout plugin and captcha, but before going on, I
>> should know if in this case squirrel is the weakest part of this
>> Any suggestion?
>> Thanks in advance,
> Redhat ES3 ES3 update 3 (released 2004 - 8 years old)
> Squirrelmail 1.4.8 (released 2006 - 6 years old)
> & PHP 4.3.2 (released 2003 - 9 years old)
> There must be any number of vulnerabilities for that system.
Just a number of google searches after a couple of minutes looking...
It wouldn't surprise me that if someone ran any form of reasonably
recent vulnerability scanner / pentesting tool against your server that
it would show up something.
If cost is an issue to upgrading your base RedHat then perhaps you
should look at a OSS alternative such as CentOS.
Some have suggested MTA Rate Limiting, and implementing SSL - all good
suggestions, but the main weakness here is that it doesn't appear that
anyone is managing the software installed on this server - if this has
been running with sendmail / apache visible to the world for the last 8
years or so then I would expect that the server has been completely
compromised. I would back up the user data and go back to a bare metal
install, with a recent base Operating System.
Giles Coochey, CCNA, CCNA Security
+44 (0) 7983 877438