[nsp-sec] [Confidential] Webmail issue.

Huopio Kauto Kauto.Huopio at ficora.fi
Mon Jun 22 03:27:42 EDT 2009 

Now, there is a security notice placed at squirrelmail.org
websited - dated June 16th. I have my doubts that this message
was posted to squirrelmail.org _after_ June 16th..

-What is the status of the compromise at the moment? 
-What distribution is considered secure? Safe MD5:s?
-Are the plugins safe or not?

--Kauto
CERT-FI

-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Scott A. McIntyre
Sent: 17. kesäkuuta 2009 9:16
To: NSP-SEC List
Subject: [nsp-sec] [Confidential] Webmail issue.

----------- nsp-security Confidential --------

All,

I can't yet reveal all of the details and the information I'm about to  
share is for NSP-SEC *ONLY* - do not under any circumstances blog,  
tweet, MySpace, FriendIn, LinkedFace (whatever) or call Krebs about  
this.

There are strong indications that Squirrelmail.org has been  
compromised.  What was initially thought to be a SVN account  
compromise has shown to be root level system access.  Code has been  
changed, plugins modified, and the Apache httpd was interfered with to  
attempt to load a new (details still to come) module.

Backdoors were installed in various plugins.

The initial compromise was *thought* to be between 1400 and 1600 on 16  
June 2009 (UTC) but subsequent investigation shows it may have been  
going on for "a few weeks."

Details are still coming in, and are quite sketchy, but given the  
popularity of SquirrelMail within the NSP community as a customer- 
facing webmail package I wanted to give NSP-Sec a heads up on the  
matter.

As I know more definitive information, I'll share it with the community.

Regards,

Scott A. McIntyre
XS4ALL Internet B.V.




_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

More information about the nsp-security mailing list