Email accounts exploited on a schedule

[Serra]

I'm having a strange issue. One of my cPanel accounts (with 4 mail accounts) is being exploited every week. Like clockwork, Monday morning, first thing.

Mail is being sent from SMTP from their accounts.

This is the fifth week it has happened, and I'm not sure how it is happening. We have done the following:

1. Verify password strength, passwords are random letters, characters, and numbers, 16-18 characters long.
2. The client does not know their passwords. Their computer guy put it in their Outlook and I put it into their phones. (No device has all 4 passwords on it, so one device can't be at fault)
3. Passwords are transported securely between us technical people, we've used a different method after each event.
4. We wiped all of the workstations involved and done a clean install of Windows 7, and a stronger virus scanner.
5. We've checked their network for an intrusion.
6. The server is using TLSv1.2 only for SMTP.
7. Their website is a clean simple PHP site, with no exploits. I manually scanned it and looked for hack files.
8. Their passwords are exploited, not changed. Hackers are logging into Exim and sending mail. (from a botnet of about 2200 machines/IPs.)
9. This account was moved to our most secure PCI complaint server after the first event.
10. The two technical people involved have been working together for 12 years, so it isn't an inside job. I run the servers, he does PC support and is 100% trusted.


Given all of that, I see no way for hackers to hack these accounts. If it was a server exploit, it would have to be two of our servers, then why only attack this one account.

I doubt this is personally targeted at this client, all that is happening is spam is being sent. If they are getting their email passwords, they could do far worse.

What am I missing here?

 

[cPanelLauren]

Hello,

To confirm all machines that are running outlook have been confirmed to be clean? Also have you checked their crontab to ensure a cronjob wasn't present on the account before it was moved as well as can you ensure the contact information for the domain is valid?

Thanks!

 

[danielpmc]

I'm having a strange issue. One of my cPanel accounts (with 4 mail accounts) is being exploited every week. Like clockwork, Monday morning, first thing.

Mail is being sent from SMTP from their accounts.

This is the fifth week it has happened, and I'm not sure how it is happening. We have done the following:

1. Verify password strength, passwords are random letters, characters, and numbers, 16-18 characters long.
2. The client does not know their passwords. Their computer guy put it in their Outlook and I put it into their phones. (No device has all 4 passwords on it, so one device can't be at fault)
3. Passwords are transported securely between us technical people, we've used a different method after each event.
4. We wiped all of the workstations involved and done a clean install of Windows 7, and a stronger virus scanner.
5. We've checked their network for an intrusion.
6. The server is using TLSv1.2 only for SMTP.
7. Their website is a clean simple PHP site, with no exploits. I manually scanned it and looked for hack files.
8. Their passwords are exploited, not changed. Hackers are logging into Exim and sending mail. (from a botnet of about 2200 machines/IPs.)
9. This account was moved to our most secure PCI complaint server after the first event.
10. The two technical people involved have been working together for 12 years, so it isn't an inside job. I run the servers, he does PC support and is 100% trusted.


Given all of that, I see no way for hackers to hack these accounts. If it was a server exploit, it would have to be two of our servers, then why only attack this one account.

@Serra

If you go to the official Microsoft website search for the Fiddler download. I have used this on XP and Windows 7 Basic. What it does is shows you live raw traffic info coming and going out of your computer/workstation. Take a few days to learn it and then run it on Monday or any other days for that matter. You should be able to catch enough details about where the traffic is coming/going from your workstations.

 

[Serra]

To confirm all machines that are running outlook have been confirmed to be clean? Also have you checked their crontab to ensure a cronjob wasn't present on the account before it was moved as well as can you ensure the contact information for the domain is valid?

The computer guy did scan both Windows machines and found nothing. I didn't check their crontab, but it is empty, just checked. The contact info on the domain is fine. It's in my GoDaddy account. Also the site was scanned for viruses and CXS scanned it as well when it was moved.

 

[Serra]

@Serra

If you go to the official Microsoft website search for the Fiddler download. I have used this on XP and Windows 7 Basic. What it does is shows you live raw traffic info coming and going out of your computer/workstation. Take a few days to learn it and then run it on Monday or any other days for that matter. You should be able to catch enough details about where the traffic is coming/going from your workstations.

After the first attack, we installed Glasswire on the machines to look for anything that was communicating out and found nothing, after checking each week after the event. The two machine (it would require access to two machines to get the three passwords that were exploited) were totally clean. Nothing found on scans and no strange communication found in Glasswire.

We also checked for Evil Maid Attacks, and only one person had access, he is a cleaning guy who is around 70, they are pretty sure he doesn't even use computers and it is doubtful he would be in league with a huge botnet.

 

[cPanelLauren]

Hi @Serra

This is definitely an interesting situation. What do the emails look like? Do you have the headers available? If you do and you post them please remove any identifying information.

Thanks!

 

[Serra]

This is definitely an interesting situation. What do the emails look like? Do you have the headers available? If you do and you post them please remove any identifying information.

Here is the header:

Received: from [39.44.xxx.xxx] (port=17873 helo=10.0.0.54)
   by mag.ourserver.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
   (Exim 4.91)
   (envelope-from <[email protected]>)
   id 1fcUGd-004HRU-LO
   for [email protected]; Mon, 09 Jul 2018 06:23:44 -0500
Date: Mon, 09 Jul 2018 16:23:42 +0500
From: Gail Pitzl <[email protected]>
To: [email protected]
Message-ID: <[email protected]>
Subject: Invoice 5799553 from Gail Pitzl
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_005C_B6069156.A0C16F91"

The messages are a mix of these 'your invoice' type of email that contains a text attachment with a link to a scam site. In the past, they were sending doc files with infection macros, but this latest batch is text files.

Your invoice is attached. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.

http://www.domain.pl/files/EN_en/STATUS/Invoice/
CNN Report

Regards

Gail Pitzl

From:
39.44.xxx.xxx  Karachi Sindh PK AS45595 Pakistan Telecom Company Limited

The botnet that is logging in has over 2000 machines and they all try to log in when it starts failing. My temporary block list had 2200 IPs on it last week from them!

 

[danielpmc]

If you have WHM Root access try this:

1. Run Security Advisor it has a warning that will show if your email server is exposed improperly to the public. In the warning it will say something like ''your smpt/exim settings are exposing your email server which could allow someone to relay emails using your server'' If you see any warnings, they will also show how to fix the issue.

 

[Serra]

If you have WHM Root access try this:

1. Run Security Advisor it has a warning that will show if your email server is exposed improperly to the public. In the warning it will say something like ''your smpt/exim settings are exposing your email server which could allow someone to relay emails using your server'' If you see any warnings, they will also show how to fix the issue.

One warning under advisor, Kernel Care hasn't updated yet, but it takes a day or two to catch up each time. Everything else is green. The server is secure and passes PCI compliance.

Good advice though, but the server is not an open relay, these spammers have login credentials. The second I change them, they get popped by cpHulk.

 

[danielpmc]

What about an App on the phone that has elevated privileges? Since most Apps have contact permissions a rogue App may be used to trigger the botnet, since their are passwords installed on the phone.

 

[Serra]

What about an App on the phone that has elevated privileges? Since most Apps have contact permissions a rogue App may be used to trigger the botnet, since there are passwords installed on the phone.

We suspected that too, but three email, sometimes four, address are constantly exploited. None of the three/four addresses are on one device, not a phone, desktop, tablet or laptop. It is unlikely that a phone or tablet, they use both, is a single point of exploit.

We suspected a WiFi hack or a Router exploit, but scans don't show any MITM attacks on the network or WiFi.

 

[danielpmc]

It seems to me that after ruling out all devices, humans and software configs the only point left is the email server.

 

[cPanelLauren]

Is it always this user?

From: Gail Pitzl <[email protected]>

Regardless of what scans say as none of them are 100% I wonder if you would at least be able to narrow it down to where the compromise is coming from by changing the password for the mail user, then leaving it as such until Monday to see if the issue reoccurs. If it does you know there's some form of compromise in the user's account on the server if it doesn't you know its a device or workstation.

 

[Serra]

It seems to me that after ruling out all devices, humans and software configs the only point left is the email server.

\

Technically, it was on one server, after the second exploit we moved it to our most secure server. So, seems it would be TWO servers. So, that being the case, I wonder what on the email server would allow this to happen. Passwords shouldn't be recoverable from an email server.

 

[danielpmc]

What about Outlook? Look in the settings to see if Outlook is scheduled to retrieve emails from an unkwown IP or Host and send them on Monday.

 

[Serra]

Is it always this user?

From: Gail Pitzl <[email protected]>

Regardless of what scans say as none of them are 100% I wonder if you would at least be able to narrow it down to where the compromise is coming from by changing the password for the mail user, then leaving it as such until Monday to see if the issue reoccurs. If it does you know there's some form of compromise in the user's account on the server if it doesn't you know its a device or workstation.

We did a little of that. Since we were worried the exploit might be internal to my network or my computer guy's network, we sent the passwords 4 different ways. That didn't help. We also created two bogus email accounts with fairly simple passwords, used webmail from their office and ours. I also put the passwords for them in every place we used to transfer passwords in the past. Both accounts remained secure, despite dropping and emailing passwords for them all over the place.

I agree that no scanner is 100%, so we literally wiped all the computers in the client's office and reloaded everything from scratch. Even after that, this week they were still exploited.

 

[Serra]

What about Outlook? Look in the settings to see if Outlook is scheduled to retrieve emails from an unkwown IP or Host and send them on Monday.

Wow, that is good! But, it would need to be two Outlooks on two machines that had been wiped and the operating system reinstalled. The only thing we didn't do was chop the old computers into bits and install new ones!

There were no outgoing emails from the exploited systems until they were exploited, then they started sending a bunch. No, initial email that could contain the password went out. I just went over the log and it appears that nothing when out for 12 hours prior to the exploit, it was just normal business mail to addresses they send to all of the time.

 

[danielpmc]

I have formatted drives hundreds of times. But each time after the OS reinstall i had a handful of programs i would install each time. But i always installed new versions with no saved settings.

Any of the software that you reinstall after formatting should be checked for settings if you also installed old saved settings. Microsoft uses Active-x in its software meaning one software can be easily manipulated to control another.

 

[danielpmc]

Personally i have never trusted email programs on my computer or phone. Since you have cPanel and Email services, why not skip Outlook and set up your client(s) with cPanels Roundcube email services? All of this is easily done in cPanels Shared, Cloud, VPS or Dedicated plans. This eliminates the opportunity for client side negative actions, intentional or not. Also in cPanel they have an excellent email filtering system. I use it heavily to monitor emails coming and going to my accounts. It is very user friendly.

 

[danielpmc]

@Serra

Just wanted to offer a pat on the back for an excellent analysis and actions shown by you in your first post.