The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

can you help with compromised email acct

Discussion in 'E-mail Discussions' started by 4u123, Aug 13, 2008.

  1. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    Hi,

    Just had a customer saying that he was receiving a load of bounce messages for mail he didnt send. I told him that this is probably just spoofed mail using his domain as a return address, but I checked the mail queue just in case.

    There were about 10 emails in the queue with hundreds of recipients listed alphabetically. I copied the headers out of one and deleted them straight away.

    The headers seem to show that the customers webmail has been compromised...

    By looking at the above it seems the person who compromised the account connected to the customers webmail from 208.78.58.128 and simply logged into horde and sent out the messages.

    His recent visitors info in cpanel showed this...

    So is this a simple case of a guessed password? customer says his password is hard to guess.

    He's blaming us for having poor security and saying hes going to move elswhere - typical.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,448
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Whats his default address settings set to in Mail settings?
    Check, Default Address > should be, Send all unrouted email for: (hisdomain.com) Current setting :fail:
     
  3. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    With all due respect, I dont think you read my post correctly.
     
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Since the password needs to be changed anyway for the account, ask the user what password is being used for the mail account. See how well it stacks up to the new cPanel password strength meter.

    If you haven't already, look into enabling a minimum password strength using the Password Strength Configuration link in the Security Center in root's WHM.
     
  5. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    yes, I thought of asking him what password he was using but I dont think this particular customer would have given me an honest answer. He seemed more intent on blaming us for the problem.

    This link brings up a worrying possibility....

    http://forums.cpanel.net/showthread.php?t=77103

    However I must say I checked all the logs and the domlog for the user showed the IP address only connecting once to /webmail and not to anything else. Now I've had time to think about it, it looks to me like the spammer actually knew the password.

    There is no trace of any connection to the server from that IP other than to go to "http://domain/webmail". I think they probably got in by a keylogger or trojan on the customers computer and already had his password. I'd warn him of a possible vulnerability on his computer but he was such an asshole about this I think he will have to find out for himself.
     
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Thats really all you can do. You can show the user the log entry that shows the 208.78.58.128 IP logging into webmail. Ask the user if they know who this IP belongs to. The IP seems to be from the XICOM TECHNOLOGY CANADA LIMITED ISP.

    A keylogger or trojan on the user's computer (or the user of that particular e-mail address, might not be the owner of the account) is possible.
     
Loading...

Share This Page