RE: [Declude.JunkMail] OT - iMail 7.x and Windows 2003
Actually, we have tried both but have not found the culprit(s) yet. Although my partner believes he saw a spike in traffic coming in as a Telenet session from an unexpected origin - rrcs-74-39-200-122.nys.biz.rr.com which on searching with google appears not too uncommon - that is hacks, spam and spyware from users of biz.rr.com. This has us planning to try to isolate which IP address(es) attacks may be coming in on and shut them down. Regarding telnet - apparently there is a problem with windows 2003 and iMail. If my source is correct one can telnet into a Windows 2003 system running iMail (pick a version) on port 25 and get by the authentication. Again, my source told me that neither Micosoft nor Ipswitch has come up with a way to stop this. It appears only to be a problem on Windows 2003, not Windows 2000. At 04:05 PM 9/7/2005, Kevin Bilbee wrote: Start with TCPView From sysinternals to view open ports on the server find the ports and programs that should not be running and kill then remove them from the system. Also use Process Explorer from sysinternals and look at all the running processes. If you find one that does not belong then kill and remove it. Kevin Bilbee --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT - iMail 7.x and Windows 2003
Orin Wells wrote on Thursday, September 08, 2005 1:15 AM: Regarding telnet - apparently there is a problem with windows 2003 and iMail. If my source is correct one can telnet into a Windows 2003 system running iMail (pick a version) on port 25 and get by the authentication. Again, my source told me that neither Micosoft nor Ipswitch has come up with a way to stop this. It appears only to be a problem on Windows 2003, not Windows 2000. This is FUD and is patently false. Telnetting on port 25 is not true telnet which runs on port 23. When you connect on port 25 you are connecting to an SMTP session just like any other SMTP server. It is not possible to bypass Authentication in this manner. If your source is trying to do this from your network, and you have your network in the relay mail for addresses list, then no authentication is necessary. The proper way to test this would be to make the attempt from an outside network. If you have your relay settings set to anything other than No mail relay or relay for addresses, then no authentication is necessary from any network and you ARE an open relay. Your source has his facts wrong. The OS (windows 2003/2000) has nothing to do with Imail's SMTP service and whether it requires auth. Dan Horne --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT - iMail 7.x and Windows 2003
One other thing to add to this. Ipswitch in their brilliance, decided to make a default password of "password" for any newly created account including root. One must take great care to change these otherwise they can become susceptible to AUTH hacking with a great deal of ease, and you then become essentially an open relay even though you are configured not to be. Matt Dan Horne wrote: Orin Wells wrote on Thursday, September 08, 2005 1:15 AM: Regarding telnet - apparently there is a problem with windows 2003 and iMail. If my source is correct one can telnet into a Windows 2003 system running iMail (pick a version) on port 25 and get by the authentication. Again, my source told me that neither Micosoft nor Ipswitch has come up with a way to stop this. It appears only to be a problem on Windows 2003, not Windows 2000. This is FUD and is patently false. Telnetting on port 25 is not true "telnet" which runs on port 23. When you connect on port 25 you are connecting to an SMTP session just like any other SMTP server. It is not possible to bypass Authentication in this manner. If your source is trying to do this from your network, and you have your network in the "relay mail for addresses" list, then no authentication is necessary. The proper way to test this would be to make the attempt from an outside network. If you have your relay settings set to anything other than "No mail relay" or "relay for addresses", then no authentication is necessary from any network and you ARE an open relay. Your source has his facts wrong. The OS (windows 2003/2000) has nothing to do with Imail's SMTP service and whether it requires auth. Dan Horne --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT - iMail 7.x and Windows 2003
Orin Wells wrote: OK, I see it. The question is how do you KILL the stuff that has gotten into the server? We shut down the IMAP yesterday primarily because we really don't have anyone we are aware of who does not use POP3. But the problem persists and seems to avoid every attempt to find it. I see a lot of code on the examples of how they are using the exploit. I am afraid it does not mean a lot to me and my brain is too tired to try to make any sense of this and figure out how to catch it. Surely someone has found a solution. They *have* to connect to a network port. If you can't find the port that shouldn't be open using something like Foundstone's Vision (http://www.foundstone.com/index.htm?subnav=resources/navigation.htmsubcontent=/resources/proddesc/vision.htm) ... watch wrap .. Then the only option you have is to setup a packet capture like ethereal (http://www.ethereal.com/) and looking at the raw data. My guess is they have been able to plant something they are now using against us. According to the tech if he disconnects the server from the network, the problem stops. It is only when the cable is hooked up that it starts in again. They've definitely installed a root kit. Windows root kit's are become obscenely popular. Your only option is to capture the raw data with ethereal if it's a good root kit. I suppose if it is coming in on a specific IP address we could disconnect them all and then add them back one at a time until we find the one they are coming in on, but that sounds like a LOT of work. Is there some other way to find this? Right now we have a lot of unhappy clients. If you block their IP, they will just come in on another IP. You must find the program and get rid of it, or rebuild... If I can be of any more assistance, let me know. Thanks, Russ --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT - iMail 7.x and Windows 2003
I have seen some root kits be able to hide from tools like F-Port and such. As you have suggested using a packet capture tool usually always helps identify which port they are exploiting. However, with that said the one thing that I keep as a golden rule is once a box has been comprimised is that its going to be scratched. You just never know what else the left on the machine. Darrell --- DLAnalyzer - Comprehensive reporting on Declude Junkmail and Virus. Download it today - http://www.invariantsystems.com - Original Message - From: Russ Lists [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, September 08, 2005 9:24 AM Subject: Re: [Declude.JunkMail] OT - iMail 7.x and Windows 2003 Orin Wells wrote: OK, I see it. The question is how do you KILL the stuff that has gotten into the server? We shut down the IMAP yesterday primarily because we really don't have anyone we are aware of who does not use POP3. But the problem persists and seems to avoid every attempt to find it. I see a lot of code on the examples of how they are using the exploit. I am afraid it does not mean a lot to me and my brain is too tired to try to make any sense of this and figure out how to catch it. Surely someone has found a solution. They *have* to connect to a network port. If you can't find the port that shouldn't be open using something like Foundstone's Vision (http://www.foundstone.com/index.htm?subnav=resources/navigation.htmsubcontent=/resources/proddesc/vision.htm) ... watch wrap .. Then the only option you have is to setup a packet capture like ethereal (http://www.ethereal.com/) and looking at the raw data. My guess is they have been able to plant something they are now using against us. According to the tech if he disconnects the server from the network, the problem stops. It is only when the cable is hooked up that it starts in again. They've definitely installed a root kit. Windows root kit's are become obscenely popular. Your only option is to capture the raw data with ethereal if it's a good root kit. I suppose if it is coming in on a specific IP address we could disconnect them all and then add them back one at a time until we find the one they are coming in on, but that sounds like a LOT of work. Is there some other way to find this? Right now we have a lot of unhappy clients. If you block their IP, they will just come in on another IP. You must find the program and get rid of it, or rebuild... If I can be of any more assistance, let me know. Thanks, Russ --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT - iMail 7.x and Windows 2003
I don't see that as a big issue. They can't Auth when 'Account Access Disabled' is checked in the user gui. If the user has a POP box, uncheck 'Account Access Disabled' and use their unique password. If the user is for forwarding, then make sure that 'Account Access Disabled' is checked. They can't Auth, so they can't send. Thursday, September 8, 2005, 8:15:20 AM, Matt [EMAIL PROTECTED] wrote: M M One other thing to add to this. Ipswitch in their brilliance, M decided to make a default password of password for any newly M created account including root. One must take great care to change M these otherwise they can become susceptible to AUTH hacking with a M great deal of ease, and you then become essentially an open relay M even though you are configured not to be. M M Matt M M M M Dan Horne wrote: M M Orin Wells wrote on Thursday, September 08, 2005 1:15 AM: M M M Regarding telnet - apparently there is a problem with windows 2003 M and iMail. If my source is correct one can telnet into a Windows M 2003 system running iMail (pick a version) on port 25 and get by the M authentication. Again, my source told me that neither Micosoft nor M Ipswitch has come up with a way to stop this. It appears only to be M a problem on Windows 2003, not Windows 2000. M M M This is FUD and is patently false. Telnetting on port 25 is not true M telnet which runs on port 23. When you connect on port 25 you are M connecting to an SMTP session just like any other SMTP server. It is M not possible to bypass Authentication in this manner. If your source is M trying to do this from your network, and you have your network in the M relay mail for addresses list, then no authentication is necessary. M The proper way to test this would be to make the attempt from an outside M network. If you have your relay settings set to anything other than No M mail relay or relay for addresses, then no authentication is M necessary from any network and you ARE an open relay. Your source has M his facts wrong. The OS (windows 2003/2000) has nothing to do with M Imail's SMTP service and whether it requires auth. M Dan Horne M --- M This E-mail came from the Declude.JunkMail mailing list. To M unsubscribe, just send an E-mail to [EMAIL PROTECTED], and M type unsubscribe Declude.JunkMail. The archives can be found M at http://www.mail-archive.com. M M M Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT - iMail 7.x and Windows 2003
We are about to build a new server using Windows 2003. The reason is that we were apparently attacked through the iMail IMAPI exploit. The last of whatever got in seems to be running in a very effective stealth mode because nothing seems to be able to find it and kill it. As a consequence, our sever reboots anywhere from every 10 minutes to every 45 minutes. So = new server. We have been running iMail 7.07 under windows 2000. We had some input that there may be some problems in this environment. We are not keen on upgrading to 8.x since IPSwitch is walking away from iMail the product. Can anyone comment on this possible incompatibility? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT - iMail 7.x and Windows 2003
We have been running iMail 7.07 under windows 2000. We had some input that there may be some problems in this environment. We are not keen on upgrading to 8.x since IPSwitch is walking away from iMail the product. Ipswitch is not walking away from Imail. It is still alive and well, and in fact continues to be improved and upgraded. The next version is in active beta as we speak. The only thing that has happened is Ipswitch no longer sells Imail as a stand alone product. SA are still available for it. John T eServices For You --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT - iMail 7.x and Windows 2003
I think that the exploit is in imail 7.07 and not in your server do a google on imail 7.07 exploit. So you most likely would need to upgrade to 8.2 series. Tho the exploit isn't in 8.15 I don't believe. BTW they do seem to have some interesting pricing going on if you google imail deals depending on your number of domains and users. At 12:43 PM 9/7/2005 -0700, you wrote: We are about to build a new server using Windows 2003. The reason is that we were apparently attacked through the iMail IMAPI exploit. The last of whatever got in seems to be running in a very effective stealth mode because nothing seems to be able to find it and kill it. As a consequence, our sever reboots anywhere from every 10 minutes to every 45 minutes. So = new server. We have been running iMail 7.07 under windows 2000. We had some input that there may be some problems in this environment. We are not keen on upgrading to 8.x since IPSwitch is walking away from iMail the product. Can anyone comment on this possible incompatibility? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by F-Prot] [This E-mail scanned for viruses by F-Prot] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT - iMail 7.x and Windows 2003
At 01:43 PM 9/7/2005, Ncl Admin wrote: I think that the exploit is in imail 7.07 and not in your server do a google on imail 7.07 exploit. OK, I see it. The question is how do you KILL the stuff that has gotten into the server? We shut down the IMAP yesterday primarily because we really don't have anyone we are aware of who does not use POP3. But the problem persists and seems to avoid every attempt to find it. I see a lot of code on the examples of how they are using the exploit. I am afraid it does not mean a lot to me and my brain is too tired to try to make any sense of this and figure out how to catch it. Surely someone has found a solution. My guess is they have been able to plant something they are now using against us. According to the tech if he disconnects the server from the network, the problem stops. It is only when the cable is hooked up that it starts in again. I suppose if it is coming in on a specific IP address we could disconnect them all and then add them back one at a time until we find the one they are coming in on, but that sounds like a LOT of work. Is there some other way to find this? Right now we have a lot of unhappy clients. So you most likely would need to upgrade to 8.2 series. Tho the exploit isn't in 8.15 I don't believe. BTW they do seem to have some interesting pricing going on if you google imail deals depending on your number of domains and users. At 12:43 PM 9/7/2005 -0700, you wrote: We are about to build a new server using Windows 2003. The reason is that we were apparently attacked through the iMail IMAPI exploit. The last of whatever got in seems to be running in a very effective stealth mode because nothing seems to be able to find it and kill it. As a consequence, our sever reboots anywhere from every 10 minutes to every 45 minutes. So = new server. We have been running iMail 7.07 under windows 2000. We had some input that there may be some problems in this environment. We are not keen on upgrading to 8.x since IPSwitch is walking away from iMail the product. Can anyone comment on this possible incompatibility? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by F-Prot] [This E-mail scanned for viruses by F-Prot] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT - iMail 7.x and Windows 2003
Start with TCPView From sysinternals to view open ports on the server find the ports and programs that should not be running and kill then remove them from the system. Also use Process Explorer from sysinternals and look at all the running processes. If you find one that does not belong then kill and remove it. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Orin Wells Sent: Wednesday, September 07, 2005 3:32 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] OT - iMail 7.x and Windows 2003 At 01:43 PM 9/7/2005, Ncl Admin wrote: I think that the exploit is in imail 7.07 and not in your server do a google on imail 7.07 exploit. OK, I see it. The question is how do you KILL the stuff that has gotten into the server? We shut down the IMAP yesterday primarily because we really don't have anyone we are aware of who does not use POP3. But the problem persists and seems to avoid every attempt to find it. I see a lot of code on the examples of how they are using the exploit. I am afraid it does not mean a lot to me and my brain is too tired to try to make any sense of this and figure out how to catch it. Surely someone has found a solution. My guess is they have been able to plant something they are now using against us. According to the tech if he disconnects the server from the network, the problem stops. It is only when the cable is hooked up that it starts in again. I suppose if it is coming in on a specific IP address we could disconnect them all and then add them back one at a time until we find the one they are coming in on, but that sounds like a LOT of work. Is there some other way to find this? Right now we have a lot of unhappy clients. So you most likely would need to upgrade to 8.2 series. Tho the exploit isn't in 8.15 I don't believe. BTW they do seem to have some interesting pricing going on if you google imail deals depending on your number of domains and users. At 12:43 PM 9/7/2005 -0700, you wrote: We are about to build a new server using Windows 2003. The reason is that we were apparently attacked through the iMail IMAPI exploit. The last of whatever got in seems to be running in a very effective stealth mode because nothing seems to be able to find it and kill it. As a consequence, our sever reboots anywhere from every 10 minutes to every 45 minutes. So = new server. We have been running iMail 7.07 under windows 2000. We had some input that there may be some problems in this environment. We are not keen on upgrading to 8.x since IPSwitch is walking away from iMail the product. Can anyone comment on this possible incompatibility? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by F-Prot] [This E-mail scanned for viruses by F-Prot] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
