Re: [IMail Forum] SMTP Exploit Scanning Going on NOW 8.15 ASSP

2006-10-29 Thread Doug Traylor 

From: "Beach Computers" <[EMAIL PROTECTED]>

Changed the mail server ehlo, and also enabled delaying in ASSP, but we
still got hit by this.


I tried to reply directly to Dave's "groups" address but it bounced so I am 
replying to the list.


Dave,

Thanks for the heads up and sorry to hear it.

Do you have the ASSP log from when the successful attack took place?  I have
been watching my logs and can't seem to find anything out of the ordinary.
Granted we don't have Imail responding to Internet SMTP, but I thought I'd
at least see some unusual activity.  What version of ASSP are you using?  Do
you have connection testing enabled too?

Thanks,

Doug Traylor
ASSP v1.2.5

[EMAIL PROTECTED]

To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/

RE: [IMail Forum] SMTP Exploit Scanning Going on NOW 8.15 ASSP

2006-10-29 Thread Beach Computers 
Just an FYI for anyone else who is currently SOL like us,

Changed the mail server ehlo, and also enabled delaying in ASSP, but we
still got hit by this. 


 
Dave
 
 ---
|Beach Computers|
|Affordable Hosting Solutions   |
|http://www.beachcomp.com   |
 ===
|Cheap Domain Warehouse |
|Get Your Own Dot!  |
|http://www.cheapdomainwarehouse.com|
 -- 


Disclaimer and confidentiality note:

The contents of this communication are intended/meant only for addressee(s)
and may contain information that is privileged or otherwise confidential.
If you are not the intended recipient you are hereby notified that any
disclosure, copying, distribution or taking any action in reliance on the
contents of this information is strictly prohibited and may be unlawful.
The contents of this e-mail shall not be forwarded to any third party. If
you have received this electronic mail transmission in error, please delete
it from your system without copying or forwarding it, and notify the sender
of the error by reply email, so that the sender's address records
can be corrected.
Views and opinions are solely those of the sender unless clearly indicated
as being that of Beach Computers or any of it's affiliated companies.
Beach Computers cannot assure that the integrity of this communication has
been maintained or that it is free of errors, virus, interception or
interference.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Waller
Sent: Sunday, October 29, 2006 9:52 AM
To: Imail_Forum@list.ipswitch.com
Subject: RE: [IMail Forum] SMTP Exploit Scanning Going on NOW

To get around the SMTP auto start problem consider using a 3rd party app.
such as Service+ or similar.

David 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eddie Pang
Sent: 29 October 2006 13:12
To: Imail_Forum@list.ipswitch.com
Subject: RE: [IMail Forum] SMTP Exploit Scanning Going on NOW

Hi All,
 
Sorry I am running V8.12 and not 8.15 as previously reported.  
 
I have compiled the exploit, and ran it against my server.  With version
8.12, I am not getting any of the injections as described (share, new user,
port  bind) .  However, after running the exploit all smtp will not
respond to any connection request. You will have to manually stop/start SMTP
to regain full function once again.
 
Here is the catch22.  You will need to enable Monitor Services if you wish
to have SMTP auto restart should it hang.  This service in the past has
created a bunch of networking issues for a few users..
 
Also, I am not seeing the same info as
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/msg108489.html .
 
My log looks like
10:29 02:43 SMTPD(a1dc000b002a1d33) [xxx.xxx.xxx.xxx] EHLO
10:29 02:43 SMTPD(a1dc000b002a1d33) [xxx.xxx.xxx.xxx] MAIL FROM <[EMAIL 
PROTECTED]>
10:29 02:43 SMTPD(a1dc000b002a1d33) [xxx.xxx.xxx.xxx] RCPT TO:
<@qo:
10:29 02:44 SMTPD() server starting on port 25 of
student.chaminade.edu <<< AUTO RESTART OF SMTP via Monitor after SMTP fails
to respond..
 
Display of Options from executable.
=
IMail 2006 and 8.x SMTP 'RCPT TO:' Stack Overflow Exploit Coded by Greg
Linares < glinares.code  [at] GMAIL [dot] com >
Usage: imailexploit [hostname] [port]   Default port is 25 
 
==
Payload Options: 1 = Default
==
1 = Share C:\ as 'Export' Share
2 = Add User 'Error' with Password 'Error'
3 = Win32 Bind CMD to Port 
4 = Change Administrator Password to '[EMAIL PROTECTED]'
==
JMP Options: 1 = Default
==
1 = IMAIL 8.x SMTPDLL.DLL[pop ebp, ret] 0x10036f71 
2 = Win2003 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af
3 = Win2003 SP0 English USER32.DLL [pop ebp, ret] 0x77d02289
4 = WinXP SP2 English NTDLL.DLL [pop ebp, ret] 0x7c967e23
5 = WinXP SP1 - SP0 English USER32.DLL [pop ebp, ret] 0x71ab389c
6 = Win2000 Universal English USER32.DLL [pop ebp, ret] 0x75021397
7 = Win2000 Universal French USER32.DLL [pop ebp, ret] 0x74fa1397
8 = Windows XP SP1 - SP2 German USER32.DLL [pop ebp, ret] 0x77d18c14 
 
 
Hope this provides some info, atleast to users of Version 8.12.
 
Eddie :)
 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eddie Pang
Sent: Saturday, October 28, 2006 4:51 PM
To: Imail_Forum@list.ipswitch.com
Subject: RE: [IMail Forum] SMTP Exploit Scanning Going on NOW


For those of us who are not programmers, can someone provide a simple what
we need to do to compile this so we can test our systems for this exploit.

 
 I have a HIPS running on our Imail 8.15 server, and I want to see if it