Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Email accounts exploited on a schedule

Discussion in 'Security' started by Serra, Jul 9, 2018.

  1. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    258
    Likes Received:
    17
    Trophy Points:
    168
    Location:
    Florida
    I'm having a strange issue. One of my cPanel accounts (with 4 mail accounts) is being exploited every week. Like clockwork, Monday morning, first thing.

    Mail is being sent from SMTP from their accounts.

    This is the fifth week it has happened, and I'm not sure how it is happening. We have done the following:

    1. Verify password strength, passwords are random letters, characters, and numbers, 16-18 characters long.
    2. The client does not know their passwords. Their computer guy put it in their Outlook and I put it into their phones. (No device has all 4 passwords on it, so one device can't be at fault)
    3. Passwords are transported securely between us technical people, we've used a different method after each event.
    4. We wiped all of the workstations involved and done a clean install of Windows 7, and a stronger virus scanner.
    5. We've checked their network for an intrusion.
    6. The server is using TLSv1.2 only for SMTP.
    7. Their website is a clean simple PHP site, with no exploits. I manually scanned it and looked for hack files.
    8. Their passwords are exploited, not changed. Hackers are logging into Exim and sending mail. (from a botnet of about 2200 machines/IPs.)
    9. This account was moved to our most secure PCI complaint server after the first event.
    10. The two technical people involved have been working together for 12 years, so it isn't an inside job. I run the servers, he does PC support and is 100% trusted.


    Given all of that, I see no way for hackers to hack these accounts. If it was a server exploit, it would have to be two of our servers, then why only attack this one account.

    I doubt this is personally targeted at this client, all that is happening is spam is being sent. If they are getting their email passwords, they could do far worse.

    What am I missing here?
     
  2. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,835
    Likes Received:
    134
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,

    To confirm all machines that are running outlook have been confirmed to be clean? Also have you checked their crontab to ensure a cronjob wasn't present on the account before it was moved as well as can you ensure the contact information for the domain is valid?

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. danielpmc

    danielpmc Well-Known Member

    Joined:
    Nov 3, 2016
    Messages:
    76
    Likes Received:
    32
    Trophy Points:
    18
    Location:
    Gainesville, Florida
    cPanel Access Level:
    Reseller Owner
    @Serra

    If you go to the official Microsoft website search for the Fiddler download. I have used this on XP and Windows 7 Basic. What it does is shows you live raw traffic info coming and going out of your computer/workstation. Take a few days to learn it and then run it on Monday or any other days for that matter. You should be able to catch enough details about where the traffic is coming/going from your workstations.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 danielpmc, Jul 9, 2018
    Last edited by a moderator: Jul 10, 2018
  4. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    258
    Likes Received:
    17
    Trophy Points:
    168
    Location:
    Florida
    The computer guy did scan both Windows machines and found nothing. I didn't check their crontab, but it is empty, just checked. The contact info on the domain is fine. It's in my GoDaddy account. Also the site was scanned for viruses and CXS scanned it as well when it was moved.
     
  5. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    258
    Likes Received:
    17
    Trophy Points:
    168
    Location:
    Florida
    After the first attack, we installed Glasswire on the machines to look for anything that was communicating out and found nothing, after checking each week after the event. The two machine (it would require access to two machines to get the three passwords that were exploited) were totally clean. Nothing found on scans and no strange communication found in Glasswire.

    We also checked for Evil Maid Attacks, and only one person had access, he is a cleaning guy who is around 70, they are pretty sure he doesn't even use computers and it is doubtful he would be in league with a huge botnet.
     
  6. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,835
    Likes Received:
    134
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Serra

    This is definitely an interesting situation. What do the emails look like? Do you have the headers available? If you do and you post them please remove any identifying information.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    258
    Likes Received:
    17
    Trophy Points:
    168
    Location:
    Florida
    Here is the header:
    Code:
    Received: from [39.44.xxx.xxx] (port=17873 helo=10.0.0.54)
       by mag.ourserver.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
       (Exim 4.91)
       (envelope-from <customer@theiremail.com>)
       id 1fcUGd-004HRU-LO
       for CNN_Report@example.us; Mon, 09 Jul 2018 06:23:44 -0500
    Date: Mon, 09 Jul 2018 16:23:42 +0500
    From: Gail Pitzl <customer@theiremail.com>
    To: CNN_Report@example.us
    Message-ID: <25369022612.201879112342@example.us>
    Subject: Invoice 5799553 from Gail Pitzl
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="----=_NextPart_000_005C_B6069156.A0C16F91"
    
    The messages are a mix of these 'your invoice' type of email that contains a text attachment with a link to a scam site. In the past, they were sending doc files with infection macros, but this latest batch is text files.
    Code:
    
    Your invoice is attached. Please remit payment at your earliest convenience.
    Thank you for your business - we appreciate it very much.
    
    http://www.domain.pl/files/EN_en/STATUS/Invoice/
    CNN Report
    
    Regards
    
    Gail Pitzl
    
    From:
    39.44.xxx.xxx  Karachi Sindh PK AS45595 Pakistan Telecom Company Limited
    
    The botnet that is logging in has over 2000 machines and they all try to log in when it starts failing. My temporary block list had 2200 IPs on it last week from them!
     
    #7 Serra, Jul 10, 2018
    Last edited by a moderator: Jul 10, 2018
  8. danielpmc

    danielpmc Well-Known Member

    Joined:
    Nov 3, 2016
    Messages:
    76
    Likes Received:
    32
    Trophy Points:
    18
    Location:
    Gainesville, Florida
    cPanel Access Level:
    Reseller Owner
    If you have WHM Root access try this:

    1. Run Security Advisor it has a warning that will show if your email server is exposed improperly to the public. In the warning it will say something like ''your smpt/exim settings are exposing your email server which could allow someone to relay emails using your server'' If you see any warnings, they will also show how to fix the issue.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    258
    Likes Received:
    17
    Trophy Points:
    168
    Location:
    Florida
    One warning under advisor, Kernel Care hasn't updated yet, but it takes a day or two to catch up each time. Everything else is green. The server is secure and passes PCI compliance.

    Good advice though, but the server is not an open relay, these spammers have login credentials. The second I change them, they get popped by cpHulk.
     
  10. danielpmc

    danielpmc Well-Known Member

    Joined:
    Nov 3, 2016
    Messages:
    76
    Likes Received:
    32
    Trophy Points:
    18
    Location:
    Gainesville, Florida
    cPanel Access Level:
    Reseller Owner
    What about an App on the phone that has elevated privileges? Since most Apps have contact permissions a rogue App may be used to trigger the botnet, since their are passwords installed on the phone.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    258
    Likes Received:
    17
    Trophy Points:
    168
    Location:
    Florida
    We suspected that too, but three email, sometimes four, address are constantly exploited. None of the three/four addresses are on one device, not a phone, desktop, tablet or laptop. It is unlikely that a phone or tablet, they use both, is a single point of exploit.

    We suspected a WiFi hack or a Router exploit, but scans don't show any MITM attacks on the network or WiFi.
     
  12. danielpmc

    danielpmc Well-Known Member

    Joined:
    Nov 3, 2016
    Messages:
    76
    Likes Received:
    32
    Trophy Points:
    18
    Location:
    Gainesville, Florida
    cPanel Access Level:
    Reseller Owner
    It seems to me that after ruling out all devices, humans and software configs the only point left is the email server.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,835
    Likes Received:
    134
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Is it always this user?

    Code:
    From: Gail Pitzl <customer@theiremail.com>
    
    Regardless of what scans say as none of them are 100% I wonder if you would at least be able to narrow it down to where the compromise is coming from by changing the password for the mail user, then leaving it as such until Monday to see if the issue reoccurs. If it does you know there's some form of compromise in the user's account on the server if it doesn't you know its a device or workstation.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    258
    Likes Received:
    17
    Trophy Points:
    168
    Location:
    Florida
    \

    Technically, it was on one server, after the second exploit we moved it to our most secure server. So, seems it would be TWO servers. So, that being the case, I wonder what on the email server would allow this to happen. Passwords shouldn't be recoverable from an email server.
     
  15. danielpmc

    danielpmc Well-Known Member

    Joined:
    Nov 3, 2016
    Messages:
    76
    Likes Received:
    32
    Trophy Points:
    18
    Location:
    Gainesville, Florida
    cPanel Access Level:
    Reseller Owner
    What about Outlook? Look in the settings to see if Outlook is scheduled to retrieve emails from an unkwown IP or Host and send them on Monday.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    258
    Likes Received:
    17
    Trophy Points:
    168
    Location:
    Florida
    We did a little of that. Since we were worried the exploit might be internal to my network or my computer guy's network, we sent the passwords 4 different ways. That didn't help. We also created two bogus email accounts with fairly simple passwords, used webmail from their office and ours. I also put the passwords for them in every place we used to transfer passwords in the past. Both accounts remained secure, despite dropping and emailing passwords for them all over the place.

    I agree that no scanner is 100%, so we literally wiped all the computers in the client's office and reloaded everything from scratch. Even after that, this week they were still exploited.
     
  17. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    258
    Likes Received:
    17
    Trophy Points:
    168
    Location:
    Florida
    Wow, that is good! But, it would need to be two Outlooks on two machines that had been wiped and the operating system reinstalled. The only thing we didn't do was chop the old computers into bits and install new ones!

    There were no outgoing emails from the exploited systems until they were exploited, then they started sending a bunch. No, initial email that could contain the password went out. I just went over the log and it appears that nothing when out for 12 hours prior to the exploit, it was just normal business mail to addresses they send to all of the time.
     
  18. danielpmc

    danielpmc Well-Known Member

    Joined:
    Nov 3, 2016
    Messages:
    76
    Likes Received:
    32
    Trophy Points:
    18
    Location:
    Gainesville, Florida
    cPanel Access Level:
    Reseller Owner
    I have formatted drives hundreds of times. But each time after the OS reinstall i had a handful of programs i would install each time. But i always installed new versions with no saved settings.

    Any of the software that you reinstall after formatting should be checked for settings if you also installed old saved settings. Microsoft uses Active-x in its software meaning one software can be easily manipulated to control another.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. danielpmc

    danielpmc Well-Known Member

    Joined:
    Nov 3, 2016
    Messages:
    76
    Likes Received:
    32
    Trophy Points:
    18
    Location:
    Gainesville, Florida
    cPanel Access Level:
    Reseller Owner
    Personally i have never trusted email programs on my computer or phone. Since you have cPanel and Email services, why not skip Outlook and set up your client(s) with cPanels Roundcube email services? All of this is easily done in cPanels Shared, Cloud, VPS or Dedicated plans. This eliminates the opportunity for client side negative actions, intentional or not. Also in cPanel they have an excellent email filtering system. I use it heavily to monitor emails coming and going to my accounts. It is very user friendly.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. danielpmc

    danielpmc Well-Known Member

    Joined:
    Nov 3, 2016
    Messages:
    76
    Likes Received:
    32
    Trophy Points:
    18
    Location:
    Gainesville, Florida
    cPanel Access Level:
    Reseller Owner
    @Serra

    Just wanted to offer a pat on the back for an excellent analysis and actions shown by you in your first post.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice