The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How can I know how an email account was breached?

Discussion in 'Security' started by Rafael Alvarez, Oct 13, 2016.

  1. Rafael Alvarez

    Joined:
    Mar 7, 2016
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    México
    cPanel Access Level:
    Reseller Owner
    Hi, it seems that a spammer cracked an email account an all my SMTP relays were consumed. My server is a VPS CentOS.

    I have taken every prevention method I have found on the CPanel documentation and still it happened, everything here is covered: How to Prevent Spam with Mail Limiting Features - cPanel Knowledge Base - cPanel Documentation

    All accounts have a password with a score of 60 or more. I also blocked port 25 and required SMTP authentication.

    On WHM "Mail Delivery Reports" the sender appears as an email account from an inexistent domain notificaciones@example.com.mx" with the following event details:
    Code:
    [B]Sender[/B]:notificaciones@example.com.mx
    [B]Sent Time[/B]: Oct 13, 2016 10:40:10 AM
    [B]Sender Host[/B]: [Removed]
    [B]Sender IP[/B]: [Removed]
    [B]Authentication[/B]: dovecot_login
    [B]Spam Score[/B]: 2.8
    [B]Recipient[/B]: [EMAIL]someusr@hotmail.com[/EMAIL]
    [B]Delivered To[/B]:
    [B]Delivery User[/B]:
    [B]Delivery Domain[/B]:
    [B]Router[/B]: send_to_smart_host
    [B]Transport[/B]: remote_smtp
    
    Using this script on SSH I found out an email account I own francisco.gonzalez@example.com has send more than 9,000 emails:

    Code:
    perl -lsne '/$today.* \[([0-9.]+)\]:.+dovecot_(?:login|plain):([^\s]+).* for (.*)/ and $sender{$2}{r}+=scalar (split / /,$3) and $sender{$2}{i}{$1}=1; END {foreach $sender(keys %sender){printf"Recip=%05d Hosts=%03d Auth=%s\n",$sender{$sender}{r},scalar (keys %{$sender{$sender}{i}}),$sender;}}' -- -today=$(date +%F) /var/log/exim_mainlog | sort
    upload_2016-10-13_12-21-15.png

    I want to find out how that account was breached in order to prevent further attacks. Any guess?
    Any help will be really appreciated. Thank you.
     
    #1 Rafael Alvarez, Oct 13, 2016
    Last edited by a moderator: Oct 24, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you verify if cPHulk brute force protection is enabled on this system? You can review entries in /var/log/maillog for that email account with a command such as:

    Code:
    grep user@domain /var/log/maillog
    Look for high amounts of authentication failures that would suggest the email account's password was brute forced.

    Thank you.
     
  3. Rafael Alvarez

    Joined:
    Mar 7, 2016
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    México
    cPanel Access Level:
    Reseller Owner
    Hi Michael, thank you very much for answering. Yes, CPHulk is enabled.
    I reviewed the logs like you advised me and found this auth errors, however they were at the same time that IP sent some malicious mails (it sent 4 on October 12th at 3:24:15 PM and then stopped to continue the next day).
    - Removed -

    I used grep with the attacker's IP (grep user@domain /var/log/maillog) and got this:
    - Removed -

    It seems that IP also tried to log to other accounts, but since CPHulk is enabled and I don't see many login attempts I think a brute force attack is unlikely, or am I wrong?
     
    #3 Rafael Alvarez, Oct 14, 2016
    Last edited by a moderator: Oct 15, 2016
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    It looks like the output you provided was moderated. Could you post the output again, ensuring to remove any identifying information about the server, IP addresses, or domain names? You can post the relevant entries instead of the full output.

    Thank you.
     
Loading...

Share This Page