[nsp-sec] [Confidential] Webmail issue.
Scott A. McIntyre
scott at xs4all.net
Wed Jun 17 02:15:40 EDT 2009
All,
I can't yet reveal all of the details and the information I'm about to
share is for NSP-SEC *ONLY* - do not under any circumstances blog,
tweet, MySpace, FriendIn, LinkedFace (whatever) or call Krebs about
this.
There are strong indications that Squirrelmail.org has been
compromised. What was initially thought to be a SVN account
compromise has shown to be root level system access. Code has been
changed, plugins modified, and the Apache httpd was interfered with to
attempt to load a new (details still to come) module.
Backdoors were installed in various plugins.
The initial compromise was *thought* to be between 1400 and 1600 on 16
June 2009 (UTC) but subsequent investigation shows it may have been
going on for "a few weeks."
Details are still coming in, and are quite sketchy, but given the
popularity of SquirrelMail within the NSP community as a customer-
facing webmail package I wanted to give NSP-Sec a heads up on the
matter.
As I know more definitive information, I'll share it with the community.
Regards,
Scott A. McIntyre
XS4ALL Internet B.V.
More information about the nsp-security
mailing list