What is the size and modified date of the imail1.exe on that machine. Also make sure there is only one there
Eric S ----- Original Message ----- From: "Mailing Lists" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, May 20, 2004 2:02 PM Subject: Re: [IMail Forum] Possible Imail Hack?? > Ok, > > I think I found the process that creates the value, it looks like imail1.exe > is the one creating the registry entry (see below output from RegMon). > > > > > 5083182 271.60988441 IMail1.exe:1392 CreateKey > HKLM\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmaster SUCCESS > Access: 0x2000000 > 5083183 271.61018287 IMail1.exe:1392 SetValue > HKLM\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmaster\SMTPWIN > SUCCESS "20,20,524,350" > > PV > > > > > ----- Original Message ----- > From: "Eric Shanbrom [Ipswitch]" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, May 20, 2004 1:12 PM > Subject: Re: [IMail Forum] Possible Imail Hack?? > > > > There is a program called RegMon (form sysinternals I think) that you can > > run on the box and it will monitor what application makes registry > changes. > > I have used this to pinpoint other things going on before. Since it isn't > > happening to me I cannot look into it here. I have a feeling you were > maybe > > hacked somehow and there is something amiss. > > > > Eric S > > ----- Original Message ----- > > From: "Mailing Lists" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Thursday, May 20, 2004 12:23 PM > > Subject: [IMail Forum] Possible Imail Hack?? > > > > > > > We found the weirdest thing on Imail Server today (running 8.05). > > > > > > We had some host admins complaining that they saw users in their domain > > > which were not recognized (i.e. they did not create these users). > > > > > > As more reports came in, we found a pattern.... users created were > always > > > same .... postmaster (not alias but user), peter, mariselas and a couple > > > others. > > > > > > Looking into the registry, these illegal users all had just a registry > > > string called SMTPWIN with value of 20,20,524,350 > > > > > > No other strings values for the illegal users which is extremely weird > > (see > > > below). > > > > > > Even more curious, as we deleted these illegal users, they cropped up > > again > > > after a short while.... > > > > > > I called IPSWICTH this morning, and were not willing to look into it as > > > there wasnt enough information! Not the best answer I received > especially > > > since it concerns security. I can understand that they dont know what > and > > > where the issue is but you would expect them to want to investigate if > > there > > > is a hole some-where... so I guess I am at mercy of this list. > > > > > > There is a firewall in front of Imail server, allowing just port 80 for > > web > > > interface of imail, port 25, port for imap, port 110, and port for web > > > calendaring. > > > > > > There is AV on machine, it just does not scan user mailboxes and spool. > > Just > > > ran a virus scan and comes out clean. > > > > > > Any help or directions would be appreciated. > > > > > > Thanks > > > > > > PV > > > > > > > > > > > > > > > > > > [HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmas > > > ter] > > > "SMTPWIN"="20,20,524,350" > > > > > > > > > [HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmas > > > [EMAIL PROTECTED] > > > "SMTPWIN"="20,20,524,350" > > > > > > > > > > > > > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > > List Archive: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
