Forcing a logout (invalidating current session)
|
View:
New views
7 Messages
—
Rating Filter:
Alert me
|
 |
Forcing a logout (invalidating current session)
by Andrew Daviel-3
::
Rate this Message:
We had a user account compromised somehow (bad guys got the password). The user has changed their password. How can I kick off any logged-in sessions and make sure they can't login without knowing the new password ? I zapped the security tokes in user prefs (seemed like a good idea) BTW, interesting spammer technique - replaced the squirrelmail signature with the message, then sent empty messages) -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time) Network Security Manager ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@... List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users |
|
|
Re: Forcing a logout (invalidating current session)
by Tomas Kuliavas
::
Rate this Message:
Spammer will be kicked out, if he or she tries to open any page with imap authentication. Left folder listing, mailbox listing, message display or sending message and saving it in Sent folder will destroy session. If you want to be sure, find old PHP session files with compromised username and delete them. -- Tomas |
|
|
Re: Forcing a logout (invalidating current session)
by Res-2
::
Rate this Message:
On Fri, 30 Oct 2009, Tomas Kuliavas wrote:
> Spammer will be kicked out, if he or she tries to open any page with imap > authentication. Left folder listing, mailbox listing, message display or > sending message and saving it in Sent folder will destroy session. unless they use imapproxy, which a great deal do. -- Res "What does Windows have that Linux doesn't?" - One hell of a lot of bugs! ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@... List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users |
|
|
Re: Forcing a logout (invalidating current session)
by Paul Lesniewski
::
Rate this Message:
On Fri, Oct 30, 2009 at 2:07 PM, Andrew Daviel <advax@...> wrote:
> > We had a user account compromised somehow (bad guys got the password). > > The user has changed their password. > How can I kick off any logged-in sessions and make sure they can't login > without knowing the new password ? As others have suggested, restart imapproxy if you use it and grep for PHP session files with the username in them and delete those. That's probably the least intrusive (to any other users) method. > I zapped the security tokes in user prefs (seemed like a good idea) > > BTW, interesting spammer technique - replaced the squirrelmail signature > with the message, then sent empty messages) You can (could have) stopped this almost right away with MTA rate-limiting or by using the Restrict Senders plugin. The Squirrel Logger plugin could also have alerted you to the problem. If the attacker got the password by guessing on the login page, you can use the Lockout and/or CAPTCHA plugins to block such attempts. -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@... List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users |
|
|
Re: Forcing a logout (invalidating current session)
by Andrew Daviel-3
::
Rate this Message:
On Sat, 31 Oct 2009, Paul Lesniewski wrote:
> On Fri, Oct 30, 2009 at 2:07 PM, Andrew Daviel <advax@...> wrote: >> >> We had a user account compromised somehow (bad guys got the password). >> >> The user has changed their password. >> How can I kick off any logged-in sessions and make sure they can't login >> without knowing the new password ? > > As others have suggested, restart imapproxy if you use it and grep for > PHP session files with the username in them and delete those. That's > probably the least intrusive (to any other users) method. Thanks to Tomas' suggestion, I ran phpinfo.php and found the session logs in /var/lib/php/session Format is ugly but a grep for '"username";user_is_logged_in" seems to work. Whe I click on "compose" after locking my account (no imapproxy) I get an immediate failure, so I'm not sure killing the session files is necessary, but it won't hurt. I also found a good number of deferred messages (naturally) in the sendmail queue I was able to remove. I found docs on how to move them to a quarantine queue in the sendmail manpages, but not how to actually delete them. Zapped them with a bit of sed/grep pipefitting. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time) Network Security Manager ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@... List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users |
|
|
SM in phishing attacks - obtaining passwords
by Andrew Daviel-3
::
Rate this Message:
On Sat, 31 Oct 2009, Paul Lesniewski wrote:
(re. Forcing a logout ) > You can (could have) stopped this almost right away with MTA > rate-limiting or by using the Restrict Senders plugin. The Squirrel > Logger plugin could also have alerted you to the problem. If the > attacker got the password by guessing on the login page, you can use > the Lockout and/or CAPTCHA plugins to block such attempts. We only have ~1K accounts and haven't had this trouble before, so had nothing in place to deal with it. I think our MTA rate-limits before expanding recipient lists so didn't kick in, or not much. As far as I can tell from webserver logs, there was no significant attempt at brute-forcing accounts. At least, not recently. Most of the accounts used had 8-character random passwords that we assigned - unlikely to be brute-forced in any case, if the pattern I've seen in SSH is any clue. I was wondering what other admin's experience has been with compromised SM accounts, and how spammers are able to obtain passwords. Certainly, we see a lot of webmail phishing from .edu domains, although I don't believe we ourselves have ever been previously compromised like this. I'm still somewhat concerned; it's as if the spammers deliberately chose to use some lightly-used accounts where the owners might not notice, and perhaps have a pool of others available. It would be nice to assume that the problem is all client-end - malware, conficker worm, or phishing - but the small volume on these accounts implies a reduced chance of receiving phishing messages or infected attachments compared to the typical always-online user. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time) Network Security Manager ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@... List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users |
|
|
Re: SM in phishing attacks - obtaining passwords
by Marc Powell
::
Rate this Message:
On Nov 5, 2009, at 6:48 PM, Andrew Daviel wrote: > I was wondering what other admin's experience has been with > compromised > SM accounts, and how spammers are able to obtain passwords. Spear phishing... Your user gave it to them. Search for it in their Sent mail. I expect you'll find it in the past couple of months. > Certainly, we see a lot of webmail phishing from .edu domains, > although I don't believe > we ourselves have ever been previously compromised like this. > > I'm still somewhat concerned; it's as if the spammers deliberately > chose > to use some lightly-used accounts where the owners might not notice, > and > perhaps have a pool of others available. It's not 'as if', they actively are. High-Ed and K12 have been dealing with this for years now. They do have a pool of accounts. They may obtain a password for an account and not actually use it to send spam or other phishing attempts until a month or two later. They're targeting webmail users, seemingly SM users in particular. They send e- mails claiming to be your support staff saying that they need to upgrade the mail system, fix some broken part of it, etc and need the user to confirm their account information in order to keep their account. You'd be surprised at how many happily oblige. These people are not really very sophisticated. They depend on the gullibility of the users to get the account info and manually send spam from the accounts. For SM, they typically change the reply-to address and use the signature for the spam payload. That way, they just need to copy/ paste the To:/Bcc: addresses... > It would be nice to assume that > the problem is all client-end - malware, conficker worm, or phishing - > but the small volume on these accounts implies a reduced chance of > receiving phishing messages or infected attachments compared to the > typical always-online user. Spear phishing has been our experience 100% of the time. -- Marc ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@... List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users |
| Free embeddable forum powered by Nabble | Forum Help |
