Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: Is someone trying to break in to my webmail?
« previous next »
Pages: [1]   Go Down

Is someone trying to break in to my webmail?

  • 3 Replies
  • 772 Views

Mark Leman

Is someone trying to break in to my webmail?
« on: September 25, 2002, 10:44:24 PM »
I noticed the over the last 3 days that our main website which normally has 3 or 4 visits and very few 'hits' has shot up to 2500, 5500, 3500 hits for the last three days. Looking and greping the access_log file shows many repeated entries like the one below, with a gap of a few seconds between each one. Looks to me like someone is trying to get in to the external web mail interface? How secure is IMP? are there any known exploits which have attracted this attention? Can external access to web mail be turned off in e-smith 5.5?

Replaced our domain with 'mydomain' although I’m sure anyone here could find the real one with now effort.


www.mydomain.co.uk 193.195.0.102 - - [25/Sep/2002:14:14:41 +0100] "GET /horde/imp/mailbox.php?page=6&uniq=16012172263d91b587d8e06 HTTP/1.1" 200 36443 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
www.mydomain.co.uk 193.195.0.102 - - [25/Sep/2002:14:14:48 +0100] "GET /horde/css.php?app=imp HTTP/1.1" 200 2677 "http://www.mydomain.co.uk/horde/imp/mailbox.php?page=6&uniq=16012172263d91b587d8e06" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
www.mydomain.co.uk 193.195.0.102 - - [25/Sep/2002:14:14:54 +0100] "GET /horde/imp/graphics/folders/inbox.gif HTTP/1.1" 304 - "http://www.mydomain.co.uk/horde/imp/mailbox.php?page=6&uniq=16012172263d91b587d8e06" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
www.mydomain.co.uk 193.195.0.102 - - [25/Sep/2002:14:14:55 +0100] "GET /horde/imp/graphics/compose.gif HTTP/1.1" 304 - "http://www.mydomain.co.uk/horde/imp/mailbox.php?page=6&uniq=16012172263d91b587d8e06" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
www.mydomain.co.uk 193.195.0.102 - - [25/Sep/2002:14:14:55 +0100] "GET /horde/imp/graphics/folders.gif HTTP/1.1" 304 - "http://www.mydomain.co.uk/horde/imp/mailbox.php?page=6&uniq=16012172263d91b587d8e06" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
www.mydomain.co.uk 193.195.0.102 - - [25/Sep/2002:14:14:56 +0100] "GET /horde/graphics/prefs.gif HTTP/1.1" 304 - "http://www.mydomain.co.uk/horde/imp/mailbox.php?page=6&uniq=16012172263d91b587d8e06" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
www.mydomain.co.uk 193.195.0.102 - - [25/Sep/2002:14:14:57 +0100] "GET /horde/imp/graphics/search.gif HTTP/1.1" 304 - "http://www.mydomain.co.uk/horde/imp/mailbox.php?page=6&uniq=16012172263d91b587d8e06" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
www.mydomain.co.uk 193.195.0.102 - - [25/Sep/2002:14:14:57 +0100] "GET /horde/graphics/help.gif HTTP/1.1" 304 - "http://www.mydomain.co.uk/horde/imp/mailbox.php?page=6&uniq=16012172263d91b587d8e06" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
www.mydomain.co.uk 193.195.0.102 - - [25/Sep/2002:14:14:57 +0100] "GET /horde/turba/graphics/turba.gif HTTP/1.1" 304 - "http://www.mydomain.co.uk/horde/imp/mailbox.php?page=6&uniq=16012172263d91b587d8e06" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
www.mydomain.co.uk 193.195.0.102 - - [25/Sep/2002:14:14:57 +0100] "GET /horde/graphics/logout.gif HTTP/1.1" 304 - "http://www.mydomain.co.uk/horde/imp/mailbox.php?page=6&uniq=16012172263d91b587d8e06" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
www.mydomain.co.uk 193.195.0.102 - - [25/Sep/2002:14:14:58 +0100] "GET /horde/imp/graphics/folders/folder_open.gif HTTP/1.1" 304 - "http://www.mydomain.co.uk/horde/imp/mailbox.php?page=6&uniq=16012172263d91b587d8e06" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
www.mydomain.co.uk 193.195.0.102 - - [25/Sep/2002:14:14:58 +0100] "GET /horde/imp/graphics/reload.gif HTTP/1.1" 304 - "http://www.mydomain.co.uk/horde/imp/mailbox.php?page=6&uniq=16012172263d91b587d8e06" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
www.mydomain.co.uk 193.195.0.102 - - [25/Sep/2002:14:14:58 +0100] "GET /horde/imp/graphics/filters.gif HTTP/1.1" 304 - "http://www.mydomain.co.uk/horde/imp/mailbox.php?page=6&uniq=16012172263d91b587d8e06" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
www.mydomain.co.uk 193.195.0.102 - - [25/Sep/2002:14:14:58 +0100] "GET /horde/imp/graphics/first.gif HTTP/1.1" 304 - "http://www.mydomain.co.uk/horde/imp/mailbox.php?page=6&uniq=16012172263d91b587d8e06" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
www.mydomain.co.uk 193.195.0.102 - - [25/Sep/2002:14:14:59 +0100] "GET /horde/imp/graphics/prev.gif HTTP/1.1" 304 - "http://www.mydomain.co.uk/horde/imp/mailbox.php?page=6&uniq=16012172263d91b587d8e06" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
www.mydomain.co.uk 193.195.0.102 - - [25/Sep/2002:14:14:59 +0100] "GET /horde/imp/graphics/next-grey.gif HTTP/1.1" 304 - "http://www.mydomain.co.uk/horde/imp/mailbox.php?page=6&uniq=16012172263d91b587d8e06" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
www.mydomain.co.uk 193.195.0.102 - - [25/Sep/2002:14:14:59 +0100] "GET /horde/imp/graphics/last-grey.gif HTTP/1.1" 304 - "http://www.mydomain.co.uk/horde/imp/mailbox.php?page=6&uniq=16012172263d91b587d8e06" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
www.mydomain.co.uk 193.195.0.102 - - [25/Sep/2002:14:14:59 +0100] "GET /horde/imp/graphics/checkbox.gif HTTP/1.1" 304 - "http://www.mydomain.co.uk/horde/imp/mailbox.php?page=6&uniq=16012172263d91b587d8e06" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
www.mydomain.co.uk 193.195.0.102 - - [25/Sep/2002:14:15:00 +0100] "GET /horde/imp/graphics/up.gif HTTP/1.1" 304 - "http://www.mydomain.co.uk/horde/imp/mailbox.php?page=6&uniq=16012172263d91b587d8e06" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
www.mydomain.co.uk 193.195.0.102 - - [25/Sep/2002:14:15:01 +0100] "GET /horde/imp/graphics/answered.gif HTTP/1.1" 304 - "http://www.mydomain.co.uk/horde/imp/mailbox.php?page=6&uniq=16012172263d91b587d8e06" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
Logged

Nathan Fowler

Re: Is someone trying to break in to my webmail?
« Reply #1 on: September 25, 2002, 11:38:03 PM »
Those aren't break-ins.  Someone is using the webmail service.  If you look at the GET statement their pulling down the images.  The large URL and query string is the referring URL.

Hope this helped,
Nathan
Logged

Mark Leman

Re: Is someone trying to break in to my webmail?
« Reply #2 on: September 26, 2002, 03:12:21 AM »
But  193.195.0.102 is outside my network and no one should be using the webmail interface from outside. Is it possible to turn off access to IMP from outside my network?

Mark Leman
Logged

NickR

Re: Is someone trying to break in to my webmail?
« Reply #3 on: September 26, 2002, 04:10:10 AM »
Even stranger is that that IP is one of Demon Internet's http://demon.net web cache servers, which implies that something odd is going on with their server.  You may want to contact them and ask them to stop it.

In any case, you need to make webmail accessible via HTTPS only (the recommended setting).  You can't restrict webmail to the LAN only, so you need to make it as secure as you can.  This will have the side benefit of stopping all that web cache traffic.  Look in  ssl_engine_log and you should only see valid connects.
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: Is someone trying to break in to my webmail?