Hacked
Hacked
I've been hacked through mail enable
I've found the server crashed and a cmd shell binded on 9090
a rootkit and a iroffer installed.
I'm really disappointed and I don't know why you've still
not released a patch.
I suppose that I'm going to use merak mail when I will find
something to convert the boxes.
At least also your phpbb forums is really outdated of really alot
of versions that are full of security bugs..
maybe it's not your business?
I'm really angry about what happened.
I've found the server crashed and a cmd shell binded on 9090
a rootkit and a iroffer installed.
I'm really disappointed and I don't know why you've still
not released a patch.
I suppose that I'm going to use merak mail when I will find
something to convert the boxes.
At least also your phpbb forums is really outdated of really alot
of versions that are full of security bugs..
maybe it's not your business?
I'm really angry about what happened.
-
- Site Admin
- Posts: 4441
- Joined: Tue Jun 25, 2002 3:03 am
- Location: Melbourne, Victoria Australia
It's the 1.8 standard that is actually in the download page.
I've found the problem only becaue the antivirus have indetified
the some *trojan* files and before of this the smtp server
stopped 10/11 times unexpectedly.
While searching how to prevent the problem, about ten minutes ago, I've seen a denial of service for mailenable on a security website...
and I've to say that is quite simple ..... just
"mailto: %s%s%s"
to shut down the smtp.
Can you please tell me at the moment how to prevent immediately such problems ?
I've reinstalled and wasted $90 for the support at the datacenter just to hear only "we cannot do nothing about it, change mail server".
I'm sorry about my previous post , maybe I've used the wrong words dictated by the anger and stress, but I've had really alot of problems.
Really excuse me. I respect other persons that are working.
I've found the problem only becaue the antivirus have indetified
the some *trojan* files and before of this the smtp server
stopped 10/11 times unexpectedly.
While searching how to prevent the problem, about ten minutes ago, I've seen a denial of service for mailenable on a security website...
and I've to say that is quite simple ..... just
"mailto: %s%s%s"
to shut down the smtp.
Can you please tell me at the moment how to prevent immediately such problems ?
I've reinstalled and wasted $90 for the support at the datacenter just to hear only "we cannot do nothing about it, change mail server".
I'm sorry about my previous post , maybe I've used the wrong words dictated by the anger and stress, but I've had really alot of problems.
Really excuse me. I respect other persons that are working.
-
- Site Admin
- Posts: 4441
- Joined: Tue Jun 25, 2002 3:03 am
- Location: Melbourne, Victoria Australia
No worries - I checked our product issue register and a possible security issue was reported 2 days ago, but it related to an old version and had not been confirmed awaiting more information from the person who reported it).
In any case I have tested the mailto: %s... etc as described against the current build of the SMTP and there appears to be no such issue.
As such, you can download the replacement service executable from:
http://www.mailenable.com/hotfix/mesmtpc_050318.zip
instructions:
1. Stop SMTP Connector
2. Replace exe in bin directory with that mentioned above (zipped)
3. Start SMTP Connector
In any case I have tested the mailto: %s... etc as described against the current build of the SMTP and there appears to be no such issue.
As such, you can download the replacement service executable from:
http://www.mailenable.com/hotfix/mesmtpc_050318.zip
instructions:
1. Stop SMTP Connector
2. Replace exe in bin directory with that mentioned above (zipped)
3. Start SMTP Connector
Regards, Andrew
Well the vulnerability is now public knowledge. Refer to http://secunia.com/advisories/14627/
I'm running the latest Pro version 1.54 where the SMTP server records itself in the logfile as:
#Software: MailEnable SMTP Server Version 1.0a
#Version: 1.0
My rock solid server rebooted from a bugcheck two days ago and the last "event" in any logs was
03/16/05 02:23:49 SMTP-IN 88420F7E5F5D4CF7B4A6322D89411D.MAI 384 82.224.131.149 220 220 mail.<DOMAINREMOVED> ESMTP Ready at 03/16/05 02:23:49 0 0
*crash*
Associated? Potentially.
I cannot see anything more on my machine, and since it is remote I don't do memory dumps so I don't know where the error occured.
Anyone else have issues?
I'm running the latest Pro version 1.54 where the SMTP server records itself in the logfile as:
#Software: MailEnable SMTP Server Version 1.0a
#Version: 1.0
My rock solid server rebooted from a bugcheck two days ago and the last "event" in any logs was
03/16/05 02:23:49 SMTP-IN 88420F7E5F5D4CF7B4A6322D89411D.MAI 384 82.224.131.149 220 220 mail.<DOMAINREMOVED> ESMTP Ready at 03/16/05 02:23:49 0 0
*crash*
Associated? Potentially.
I cannot see anything more on my machine, and since it is remote I don't do memory dumps so I don't know where the error occured.
Anyone else have issues?
-
- Site Admin
- Posts: 1127
- Joined: Mon Jun 10, 2002 6:31 pm
- Location: Melbourne, Victoria, Australia
There is a fix for this on
http://www.mailenable.com/hotfix
It is actually the same as the earlier Pro/Enterprise hotfix late last year, but the hotfix page did not indicate that this was for Standard, so the page has been updated to reflect this.
For our phpbb forum, some of the updates are done manually, so the version at the bottom of the page is not a true reflection of the pages (sometimes updating phpbb is quicker through making the mods manually).
http://www.mailenable.com/hotfix
It is actually the same as the earlier Pro/Enterprise hotfix late last year, but the hotfix page did not indicate that this was for Standard, so the page has been updated to reflect this.
For our phpbb forum, some of the updates are done manually, so the version at the bottom of the page is not a true reflection of the pages (sometimes updating phpbb is quicker through making the mods manually).
-
- Site Admin
- Posts: 4441
- Joined: Tue Jun 25, 2002 3:03 am
- Location: Melbourne, Victoria Australia
The current version of Professional and Enterprise Editions do not need the hotfix. In fact the patch has been included in these releases since august last year.
The issue was that Standard Edition's base install was not patched.
If your running current versions of Pro or Ent - you should not need to do anything. If your running standard edition, you need to apply the hotfix.
You mention that the problem is still occuring - could you log a support request as per http://www.mailenable.com/support and we can investigate why this is occuring (since the hotfix is meant to have addressed this issue).
The issue was that Standard Edition's base install was not patched.
If your running current versions of Pro or Ent - you should not need to do anything. If your running standard edition, you need to apply the hotfix.
You mention that the problem is still occuring - could you log a support request as per http://www.mailenable.com/support and we can investigate why this is occuring (since the hotfix is meant to have addressed this issue).
Regards, Andrew
Another time
I've another time a problem from ME.
From 2 days I've got strange problems on the server
I suppose originated from weird stuff sent to the mail server,
I can see weird characters in the logs.
I've found 2 emails in a new mailbox with attached
1 trojan and 1 worm(??? from the strings in the executable
I read psybnc) .
In c:\windows\sysprep\
there are 2 binary files(equal to the files in the emails)
that are renamed as taskmgr.exe and dllhost.exe
I've found those 4 (2 mails) files by scanning with clamav-dev
with the latest virus patterns.
I've reinstalled another time from scratch and I still
get weird characters in the log sent from
some chinese hosts that I've banned.
Is it possible to add the antivirus scans
in ME standard?
Thank you.
Alberto
From 2 days I've got strange problems on the server
I suppose originated from weird stuff sent to the mail server,
I can see weird characters in the logs.
I've found 2 emails in a new mailbox with attached
1 trojan and 1 worm(??? from the strings in the executable
I read psybnc) .
In c:\windows\sysprep\
there are 2 binary files(equal to the files in the emails)
that are renamed as taskmgr.exe and dllhost.exe
I've found those 4 (2 mails) files by scanning with clamav-dev
with the latest virus patterns.
I've reinstalled another time from scratch and I still
get weird characters in the log sent from
some chinese hosts that I've banned.
Is it possible to add the antivirus scans
in ME standard?
Thank you.
Alberto