Re: hacked server

• Previous message: Miha Pihler: "Re: hacked server"
• In reply to: TT: "Re: hacked server"
• Next in thread: Jeff Cochran: "Re: hacked server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 17 Jul 2004 14:48:23 -0700

You did not state that you have been keeping iMail up-to-date
so perhaps
http://search.cert.org/query.html?rq=0&ht=0&qp=&qs=&qc=&pw=100%25&ws=1&la=&qm=0&st=1&nh=25&lk=1&rf=2&oq=&rq=0&si=1&col=xtracert&col=trandedu&col=vulnotes&col=techtips&col=research&col=certadv&col=incnotes&col=secimp&qt=IpSwitch+IMail&x=16&y=8
will be of interest (?)

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA,  MCSE W2k3+W2k+Nt4
"TT" <tonkatrail@hotmail.com> wrote in message 
news:Oo8T6%23DbEHA.2408@tk2msftngp13.phx.gbl...
> Sorry, I should have specified that this is a workgroup server running 
> Win2K
> SP4 and only has one application running: IpSwitch's IMail
>
> "TT" <tonkatrail@hotmail.com> wrote in message
> news:eRZDJ6DbEHA.2544@TK2MSFTNGP10.phx.gbl...
>> One of my email servers was hacked. I thought I was being a good little
> boy
>> and keeping up with all the updates, etc., but someone got in anyway. A
> mild
>> hack. It appears they only want a place for an IRC server to communicate.
>> Now it's become my challenge to keep them out.. :)
>>
>> Now my problem is
>> 1. How did they do it to begin with? This server has no FTP or HTTP
> service
>> running. I was running Terminal Server and I even shut it down. There is
>> only 1 user and that's the Administrator for which I have now changed the
>> name.
>> and
>> 2. They're continuing to get in after I shut down a couple of small holes
>> which I felt were maybe possibilities. When I log in, I see 4 or 5 DOS
>> command windows pop up very quickly. So quickly that I can't read 
>> anything
>> on them. I've searched login scripts, etc., and everyplace I know which
>> could initialize when I log in, but I haven't found a thing.
>>
>> Can someone point me to some additional places to look for init-type
>> commands? Maybe some registry entry places?? I've searched for logon and
> run
>> commands and found nothing.
>>
>> Thanks in Advance
>> tonka trail at hotmail dot com
>>
>>
>
> 

• Previous message: Miha Pihler: "Re: hacked server"
• In reply to: TT: "Re: hacked server"
• Next in thread: Jeff Cochran: "Re: hacked server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch IMail IMAP List Command DoS Vuln ... Ipswitch Imail Server is an email server that is part of the IpSwitch ... Ipswitch Inc.'s Imail IMAP server allows attackers to crash the target ... (Full-Disclosure) [VulnWatch] iDEFENSE Security Advisory 12.06.05: Ipswitch IMail IMAP List Command DoS Vulnerability ... Ipswitch Imail Server is an email server that is part of the IpSwitch ... Ipswitch Inc.'s Imail IMAP server allows attackers to crash the target ... (VulnWatch) RE: IIS cant send mail to adresses outside the local server ... I need to report the IMail program requires me to use the built in SMTP ... services for IMail and disable the windows SMTP service on the server. ... > forms will only email info to local email addresses, ... (microsoft.public.inetserver.iis.smtp_nntp) Re: [VulnWatch] IMail Account hijack through the Web Interface ... I think this was already covered for Imail 7.04 in the following ... The workaround given by Ipswitch was: ... > mail server for Windows NT/2000/XP. ... > session authentication is maintained via a unique URL. ... (Bugtraq) Re: smtp server sending issues ... >to our internal Exchange server. ... >our internal exchange server and our servers on the DMZ. ... >We have a PIX 515 firewall that is configured for the DMZ ... >I have DNS running on the IMail server to allow mail to ... (microsoft.public.inetserver.iis.smtp_nntp)