Mailing List CGatePro@mail.stalker.com Message #103543
From: Jeff Wark <jwark@tbaytel.net>
Subject: Re: Tracking down a broken login password and subsequent attack
Date: Tue, 18 Sep 2012 13:19:44 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
This looks like an interesting place to use that authentication script ability.

When an account is logging in, check the source IP and if it is the same as the last time [or from a network of trusted IP addresses], allow it.  If it is different, develop some set of sanity tests that you could use to deny the login.  Something like >3 different IP addresses in the last hour or so would raise a red flag.

Have an INFO level [hey, something appears to be up with this account] and a FATAL level which would actually prevent the account from authenticating.  Both would send you an email.


On 9/18/2012 11:58 AM, Brian Gibson wrote:
We wrote a script that runs every half hour and compares the current webmail from addresses to the addresses from 30 minutes ago and if there is a change it shoots us an email. The hackers usually change the "From:" address so it gives us a pretty quick heads up.

++++++++++++++++++++++++++++
Brian Gibson
Systems Administrator
Wheaton College

Are you a musician? If so visit my Arbans Online music site at http://arbansonline.com and listen & contribute
On 9/18/2012 11:52 AM, Matthew Black wrote:
Those with good Unix experience might want to look at John the Ripper, an old password checker to run against your /etc/passwd file.

http://www.openwall.com/john/

Our password change website requires a fairly strong password. We found lots of people using the password a1b2c3d4 and added that to our list of banned PWs.


We occasionally audit the SystemLogs/Logins log files for unusual activity, sorting on various columns to see if one user logins from many different locations or many users login from a single location.

matthew black
california state university, long beach


-----Original Message-----
From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On Behalf Of Philip Slater
Sent: Monday, September 17, 2012 3:48 PM
To: CommuniGate Pro Discussions
Subject: Re: Tracking down a broken login password and subsequent attack

Couple of things to keep in mind about SMTP AUTH attacks.

First is that they are becoming more and more common place.

Second is that spammers are faster/smarter than the typical user when it comes to passwords. Keep in mind that on Settings/Network/Blacklisted you can lock out systems that have too many password failures.

So things to keep in mind for those running 5.3.x or 5.4.x

There is an outbound flow control for individual accounts now. Since it used to be a server wide setting and we did not want to catch people off guard the outbound limit is unlimited.

Of course this can be changed as a default value, with other accounts being higher if need be, to something more reasonable like 20 messages in 5 minutes. If the limit is reached, no further messages are accepted for XX period of time. XX period of time being the second value, so from the example they would not be able to send for 5 minutes.

But this only addresses the number of messages possible to transmit.

Password security is the big item in this as it is really surprising in my experience just how many people use weak passwords.

Fortunately, in version 6.0 we will have a password strength option.

Also for those interested, please email me directly if you are interested in a script that checks the password against the user name as well as against the top 500 commonly used passwords. (Works against plaint text and A-CRPT stored passwords).

One side note to pass on to your users and a joke I like to tell regarding security.

Teach users about simple '1337/leet' speak. i.e. use symbols and numbers for letter/phrase replacement: 2b0rn0t2b !!m@xw3|| th1$&th@

Joke: The IT specialist in charge of security is walking around the office when he sees one of the dimmer users start typing in an exceptionally long password into the system. They say to the user. 'I am impressed with the length of your password, while I can retrieve it from the source, I would like to ask what it is and how you came up with it. The user responds, 'Well it is mickeyminnydonaldgoofyhughiedeweylouiesacrament and I don't know why you are impressed with it since it was your password policy letter that told me how to set it up.' "Really? Do tell." asked the specialist. "Well you said it had to be seven characters long and include a capital."

Phil

On Sep 17, 2012, at 1:12 PM, Sean Ackley <sean@ackind.net> wrote:

I would look into spy/malware, they can get such information very easily.   CGP is pretty secure.   If they are using un-encrypted username/password, then it could have come off the wire, or once again a style of malware which sniffs the data stream.


On Sep 17, 2012, at 12:56 PM, Jeff Porten wrote:

Possible, but we think that's unlikely. The account-holder in question
knows that such things get run by IT first-very small office and he's
just down the hall.

So far, it looks like an individual account compromise, but we'd
really sleep better if we could figure out the transport mechanism
over which it occurred. I expected to see a few thousand failed logins
from a dictionary attack prior to the SMTP logins, but that's not the
case.

Thanks,
Jeff Porten

On Mon, Sep 17, 2012 at 3:08 PM, Jeff Wark <jwark@tbaytel.net> wrote:
So, was the server itself compromised [at a system account level] or was it
strictly an email account that was compromised?

If it was an email account compromise, it could simply be the user
responding to one of those phishing attempts along the lines of "To verify
your account, just send your username/password to the following address"



On 9/17/2012 2:24 PM, Jeff Porten wrote:
I'm trying to track down technical details on a security break-in we
experienced last week on a client's CGP server, used only for email.
OS X, CGP 5.3.something.

We presumed a dictionary attack, but don't see a large number of
rejected login attempts on our server-although we do see rejected
individual login attempts on IMAP, POP, and SMTP. I'm also somewhat
confused that I can't seem to set up an SMTP transaction from
off-network without first logging in by IMAP or POP-although it
appears in our logs that the attacker used a username and password to
register for an SMTP transaction all in one go.

In any case, changing the password on that specific account shut down
the SMTP attack, so what we're doing now is wholly forensic.

Log level set to Problems for SMTP and most other relevant modules. I
presume this means that I might be missing some log information I'd
prefer to have-but the information I do have is rather confusing.
Help?

Thanks,
Jeff Portenail.stalker.com>


CommuniGate Pro Training
If interested please contact sales@communigate.com


Learn more about Rich Internet Applications
http://www.communigate.com/pronto/

________________________________________________________

Philip Slater
Professional Services
CommuniGate Systems
p 1 415 383 7164 ext 201
p 1 800 262 4722 ext 201
f 1 415 383 7461
SIP & Email pslater@communigate.com
AIM: stalkersoftware




#############################################################
This message is sent to you because you are subscribed to
   the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to <CGatePro-request@mail.stalker.com>



#############################################################
This message is sent to you because you are subscribed to
   the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to <CGatePro-request@mail.stalker.com>


#############################################################
This message is sent to you because you are subscribed to
 the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to <CGatePro-request@mail.stalker.com>

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster