The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exploited email accounts

Discussion in 'E-mail Discussions' started by Serra, Jun 10, 2013.

  1. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    I've been seeing something strange on my servers. Email accounts being access by spammers who have the password for the email account.

    I've been seeing this for about a year now. Every few months an account gets exploited. I change the account password, contact the user and the problem ends.

    Last month, I get a new server, which is fully secure and PCI compliant, plus a bunch of extra stuff I did for security as well.

    On two prior exploits, the users were fairly good users. Not the kind of people who would fall for phishing. Then today I found another spammer sending spam on an account, the spammer was using a botnet from India and Russia that rotated the IPs every 20 messages.

    Here is where it gets strange. The mail box that was exploited was an old box for my computer tech's company. They switched to an exchange server, so the mail boxes were just sitting on the box, unused. All of the passwords were reset for the exchange server, so the guy whose box was exploited didn't even know his own password and he isn't using that password to check mail with.

    I find it strange that a spammer could get the email password for an account that none of us knew what the password was. Not the owner of the account and not me.

    I checked back 6 months and I don't see any long term hacking attempts on this account. My password level is set to 60, so it was fairly secure, whatever it was.

    I'm wondering how this is happening. I'm 100% positive now that what I was blaming, phishing, isn't the issue. I knew that the owner of this account didn't get phished, since he RUNS THE EXCHANGE SERVER he is on! Hard to phish a password out of the admin for the mail server.

    Any one seeing anything like this that they are blaming on phishing?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    667
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Are you positive the SPAM is coming from an authenticated user instead of a spoofed "FROM" address in the message header? Do you have a copy of a message header that you could provide so we can verify that?

    Thank you.
     
  3. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    Yes, positive. It shows up in Mailscanner logs and the spammers some how got a password wrong in further attempts and were blocked by cPhulk.

    Here is the full header. I changed the user's domain to domain.com. My server is mag.magicangelwest.com.

    Code:
    Received: from [117.194.242.20] (port=2096 helo=domain.com)
         by mag.magicangelwest.com with esmtpa (Exim 4.80.1)
         (envelope-from <klupo@domain.com>)
         id 1Um4Lc-0002i7-61; Mon, 10 Jun 2013 10:49:33 -0500
    Message-ID: <EFB5F846.D68FE887@domain.com>
    Date: Mon, 10 Jun 2013 17:49:32 +0200
    From: "klupo@domain.com" <klupo@domain.com>
    X-Accept-Language: en-us
    MIME-Version: 1.0
    To: <jorgeandre56@yahoo.com>
    Cc: <juzhomerepairs@yahoo.com>,
         <patriots8483@yahoo.com>,
         <jueveswaveos@yahoo.com>,
         <klcookies@yahoo.com>,
         <lil_mama20052008@yahoo.com>,
         <lwsprg@yahoo.com>,
         <midekins@yahoo.com>,
         <jt_7798@yahoo.com>,
         <lilmarcus142003@yahoo.com>,
         <jasonshelden96@yahoo.com>,
         <marietonie96@yahoo.com>,
         <monkasher@yahoo.com>,
         <im1texmex@yahoo.com>,
         <michael.salazar55@yahoo.com>,
         <junior_mapati@yahoo.com>,
         <pelonmich17@yahoo.com>,
         <luther.nigel@yahoo.com>,
         <nhardman3x@yahoo.com>,
         <jroldan63@yahoo.com>
    Subject: I am romantic
    Content-Type: text/html;
         charset="us-ascii"
    Content-Transfer-Encoding: 7bit
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    667
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Have you ran a root kit scanner on your system to see if any root exploits are detected? Is it possible the passwords to the account usernames were brute forced?

    You may also want to consider consulting with a system administrator/security specialist. There are several listing at:

    cPanel Application Catalog - System Admin Services

    Thank you.
     
  5. bhd

    bhd Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    149
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    JNB ZA
    cPanel Access Level:
    Root Administrator
    Very similar problems being faced. Repeated "customers" relaying AUTH mail that is pure spam. After physically examining their passwords and hardware I'm convinced that none of them have anything nefarious - like key loggers. In fact, three of them fdisk'ed their drives and did a complete re-install just to be sure .... and got their passwords hacked within a week.

    Total mystery.
     
  6. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    This happened on two servers, one older server and one new server that is about 3 weeks in production. I've got every rootkit scanner available and the server is PCI compliant, so it is not likely that the server has been rooted. I'm running these servers very secure. Even if the server had been rooted, there is no way to recover a user's password that I know of. Even with root access, I'm not sure I could do that. While I might not be a expert, I have a company that secures my servers when I get them.

    As for brute force, I doubt that. I'm running cPhulk that blocks at 30 and ldf that blocks at 15, perm block after 5 failures. That means brute force only has 75 tries per IP. Plus I monitor all brute force attacks with log scanner and I've never seen a brute force attempt on a valid email. Hackers constantly brute force against the servers, but never with anything that is remotely a valid login. (Root access via password is not possible, except through cPanel, which is logged by IP)

    I also checked the log and found that the spammer showed up with password in hand and started sending emails. No failed attempts. In prior attacks, I could pawn it off as phishing or stupidity, but in this case, that isn't the case. The spammer is also very careful not to trip up any of the built in blocks, such as emails per hour. I've found I can only catch these with a email log scanner that I wrote to uncover this kind of spammer.

    - - - Updated - - -

    That is exactly my problem. I was willing to write it off as a customer security issue in the past, but when my computer guy gets his email hacked and neither of us know the password, so it can't be phishing, nor can it be weak encryption intercept of his mail connects, since he isn't even connecting to my server... I'm at a total loss as to how the account was exploited. Also, since his MX points to a mail server, it would be likely that any attack against him specifically would have attacked his mail server, not the web server. There was no way for the spammer to know that user had a valid email on the server, since it hadn't been used since 2012 when they switched to the Exchange server.
     
    #6 Serra, Jun 11, 2013
    Last edited: Jun 11, 2013
Loading...

Share This Page