Hacked

Discussion regarding the Standard version.
Post Reply
alberto
Posts: 12
Joined: Fri Mar 18, 2005 10:23 am

Hacked

Post by alberto »

I've been hacked through mail enable
I've found the server crashed and a cmd shell binded on 9090
a rootkit and a iroffer installed.

I'm really disappointed and I don't know why you've still
not released a patch.
I suppose that I'm going to use merak mail when I will find
something to convert the boxes.

At least also your phpbb forums is really outdated of really alot
of versions that are full of security bugs..
maybe it's not your business?

I'm really angry about what happened.

MailEnable
Site Admin
Posts: 4441
Joined: Tue Jun 25, 2002 3:03 am
Location: Melbourne, Victoria Australia

Post by MailEnable »

MailEnable releases patches as soon as potential exploits are validated and patches are resonably tested.

What version of MailEnable are you running. This will assist in determining what possible patches are relevant.
Regards, Andrew

alberto
Posts: 12
Joined: Fri Mar 18, 2005 10:23 am

Post by alberto »

It's the 1.8 standard that is actually in the download page.
I've found the problem only becaue the antivirus have indetified
the some *trojan* files and before of this the smtp server
stopped 10/11 times unexpectedly.

While searching how to prevent the problem, about ten minutes ago, I've seen a denial of service for mailenable on a security website...
and I've to say that is quite simple ..... just

"mailto: %s%s%s"

to shut down the smtp.

Can you please tell me at the moment how to prevent immediately such problems ?

I've reinstalled and wasted $90 for the support at the datacenter just to hear only "we cannot do nothing about it, change mail server".

I'm sorry about my previous post , maybe I've used the wrong words dictated by the anger and stress, but I've had really alot of problems.
Really excuse me. I respect other persons that are working.

MailEnable
Site Admin
Posts: 4441
Joined: Tue Jun 25, 2002 3:03 am
Location: Melbourne, Victoria Australia

Post by MailEnable »

No worries - I checked our product issue register and a possible security issue was reported 2 days ago, but it related to an old version and had not been confirmed awaiting more information from the person who reported it).

In any case I have tested the mailto: %s... etc as described against the current build of the SMTP and there appears to be no such issue.

As such, you can download the replacement service executable from:

http://www.mailenable.com/hotfix/mesmtpc_050318.zip

instructions:

1. Stop SMTP Connector
2. Replace exe in bin directory with that mentioned above (zipped)
3. Start SMTP Connector
Regards, Andrew

jbalarin
Posts: 12
Joined: Tue Nov 19, 2002 10:02 am
Location: Rainy Reading, UK

Post by jbalarin »

Well the vulnerability is now public knowledge. Refer to http://secunia.com/advisories/14627/

I'm running the latest Pro version 1.54 where the SMTP server records itself in the logfile as:

#Software: MailEnable SMTP Server Version 1.0a
#Version: 1.0


My rock solid server rebooted from a bugcheck two days ago and the last "event" in any logs was

03/16/05 02:23:49 SMTP-IN 88420F7E5F5D4CF7B4A6322D89411D.MAI 384 82.224.131.149 220 220 mail.<DOMAINREMOVED> ESMTP Ready at 03/16/05 02:23:49 0 0

*crash*

Associated? Potentially.

I cannot see anything more on my machine, and since it is remote I don't do memory dumps so I don't know where the error occured.

Anyone else have issues?

Admin
Site Admin
Posts: 1127
Joined: Mon Jun 10, 2002 6:31 pm
Location: Melbourne, Victoria, Australia

Post by Admin »

There is a fix for this on

http://www.mailenable.com/hotfix

It is actually the same as the earlier Pro/Enterprise hotfix late last year, but the hotfix page did not indicate that this was for Standard, so the page has been updated to reflect this.

For our phpbb forum, some of the updates are done manually, so the version at the bottom of the page is not a true reflection of the pages (sometimes updating phpbb is quicker through making the mods manually).

Edmais

HotFix

Post by Edmais »

Hi, I mave just found the hotfix and installed it, seems to be working. I am impressed by how hast you did it, considering that is the free version!

You should let Secunia know there is a fix, their recommendation on the security advisory is "use another product"

Guest

Post by Guest »

I see on the hotfix page that smtp hotfix is only for 1.8 Standard? Is there one for 1.54 pro? OR is 1.54 safe from these problems?

Thanks in advance for any answers.

Guest

Post by Guest »

I've installed the hotfix, and it doesn't seem to have any effect.

MailEnable
Site Admin
Posts: 4441
Joined: Tue Jun 25, 2002 3:03 am
Location: Melbourne, Victoria Australia

Post by MailEnable »

The current version of Professional and Enterprise Editions do not need the hotfix. In fact the patch has been included in these releases since august last year.

The issue was that Standard Edition's base install was not patched.

If your running current versions of Pro or Ent - you should not need to do anything. If your running standard edition, you need to apply the hotfix.

You mention that the problem is still occuring - could you log a support request as per http://www.mailenable.com/support and we can investigate why this is occuring (since the hotfix is meant to have addressed this issue).
Regards, Andrew

boonchuan
Posts: 58
Joined: Tue Mar 09, 2004 6:46 am

Post by boonchuan »

Thanks for the hotfix , you are still as fast as ever settling the problems

Guest

Another time

Post by Guest »

I've another time a problem from ME.
From 2 days I've got strange problems on the server
I suppose originated from weird stuff sent to the mail server,
I can see weird characters in the logs.

I've found 2 emails in a new mailbox with attached
1 trojan and 1 worm(??? from the strings in the executable
I read psybnc) .
In c:\windows\sysprep\
there are 2 binary files(equal to the files in the emails)
that are renamed as taskmgr.exe and dllhost.exe
I've found those 4 (2 mails) files by scanning with clamav-dev
with the latest virus patterns.
I've reinstalled another time from scratch and I still
get weird characters in the log sent from
some chinese hosts that I've banned.

Is it possible to add the antivirus scans
in ME standard?


Thank you.

Alberto

Post Reply