Do you browse the web from this server? If so, it could have gotten in that way.
Jason -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mailing Lists Sent: Thursday, May 20, 2004 12:39 PM To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] Possible Imail Hack?? Yeah I understand that it server is compromised, what I dont understand is how it was compromised, since only ports used by Imail are open... PV ----- Original Message ----- From: "Eric Shanbrom [Ipswitch]" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, May 20, 2004 1:12 PM Subject: Re: [IMail Forum] Possible Imail Hack?? > There is a program called RegMon (form sysinternals I think) that you > can run on the box and it will monitor what application makes registry changes. > I have used this to pinpoint other things going on before. Since it > isn't happening to me I cannot look into it here. I have a feeling you > were maybe > hacked somehow and there is something amiss. > > Eric S > ----- Original Message ----- > From: "Mailing Lists" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, May 20, 2004 12:23 PM > Subject: [IMail Forum] Possible Imail Hack?? > > > > We found the weirdest thing on Imail Server today (running 8.05). > > > > We had some host admins complaining that they saw users in their > > domain which were not recognized (i.e. they did not create these > > users). > > > > As more reports came in, we found a pattern.... users created were always > > same .... postmaster (not alias but user), peter, mariselas and a > > couple others. > > > > Looking into the registry, these illegal users all had just a > > registry string called SMTPWIN with value of 20,20,524,350 > > > > No other strings values for the illegal users which is extremely > > weird > (see > > below). > > > > Even more curious, as we deleted these illegal users, they cropped > > up > again > > after a short while.... > > > > I called IPSWICTH this morning, and were not willing to look into it > > as there wasnt enough information! Not the best answer I received especially > > since it concerns security. I can understand that they dont know > > what and > > where the issue is but you would expect them to want to investigate > > if > there > > is a hole some-where... so I guess I am at mercy of this list. > > > > There is a firewall in front of Imail server, allowing just port 80 > > for > web > > interface of imail, port 25, port for imap, port 110, and port for > > web calendaring. > > > > There is AV on machine, it just does not scan user mailboxes and > > spool. > Just > > ran a virus scan and comes out clean. > > > > Any help or directions would be appreciated. > > > > Thanks > > > > PV > > > > > > > > > > > [HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\pos tmas > > ter] > > "SMTPWIN"="20,20,524,350" > > > > > [HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\pos tmas > > [EMAIL PROTECTED] > > "SMTPWIN"="20,20,524,350" > > > > > > > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
