[IMail Forum] Cleaning hacked server
I'm assisting someone whose Imail server (9.23 running on 2003) has been hacked by a spammer. I don't think it's a relaying issue since the server is behind a Barracuda spam firewall that filters incoming email and rejects anything not addressed to the domain's users - the Barracuda logs show nothing. The server is not running on port 25 - the Barracuda is forwarding all email on a different port. If you go into User Manager you can see where an user account had been modified with a bogus Full Name and Return Address. The actual spam content was in the signature file and the hacked user account was used to send the spam email. The server is on a DMZ, with incoming ports tightly restricted - I've been searching the firewall and SMTP logs but can't figure out how the spammer is gaining access to Imail. Where do I need to be looking? Any help would be greatly appreciated. To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
RE: [IMail Forum] Cleaning hacked server
We had the same thing happen. It turns out the user used the password fluffy to secure their account. Check your logs - if you are running them - and you will see someone tried multiple passwords on the account and it probably didn't take very many tries for them to gain access. We cleaned the account and made the user change their password, and locked out web access for her because she never uses it, and have not had another problem. Bruce -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steeley Sent: Thursday, October 30, 2008 08:39 To: IMail_Forum@list.ipswitch.com Subject: [IMail Forum] Cleaning hacked server I'm assisting someone whose Imail server (9.23 running on 2003) has been hacked by a spammer. I don't think it's a relaying issue since the server is behind a Barracuda spam firewall that filters incoming email and rejects anything not addressed to the domain's users - the Barracuda logs show nothing. The server is not running on port 25 - the Barracuda is forwarding all email on a different port. If you go into User Manager you can see where an user account had been modified with a bogus Full Name and Return Address. The actual spam content was in the signature file and the hacked user account was used to send the spam email. The server is on a DMZ, with incoming ports tightly restricted - I've been searching the firewall and SMTP logs but can't figure out how the spammer is gaining access to Imail. Where do I need to be looking? Any help would be greatly appreciated. To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
Re: [IMail Forum] Cleaning hacked server
Thanks for the help. What log file would contain that information? -Original Message- From: Bruce Barnes [EMAIL PROTECTED] Sent 10/30/2008 9:48:10 AM To: Imail_Forum@list.ipswitch.com Subject: RE: [IMail Forum] Cleaning hacked server We had the same thing happen. It turns out the user used the password fluffy to secure their account. Check your logs - if you are running them - and you will see someone tried multiple passwords on the account and it probably didn't take very many tries for them to gain access. We cleaned the account and made the user change their password, and locked out web access for her because she never uses it, and have not had another problem. Bruce -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steeley Sent: Thursday, October 30, 2008 08:39 To: IMail_Forum@list.ipswitch.com Subject: [IMail Forum] Cleaning hacked server I'm assisting someone whose Imail server (9.23 running on 2003) has been hacked by a spammer. I don't think it's a relaying issue since the server is behind a Barracuda spam firewall that filters incoming email and rejects anything not addressed to the domain's users - the Barracuda logs show nothing. The server is not running on port 25 - the Barracuda is forwarding all email on a different port. If you go into User Manager you can see where an user account had been modified with a bogus Full Name and Return Address. The actual spam content was in the signature file and the hacked user account was used to send the spam email. The server is on a DMZ, with incoming ports tightly restricted - I've been searching the firewall and SMTP logs but can't figure out how the spammer is gaining access to Imail. Where do I need to be looking? Any help would be greatly appreciated. To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
RE: [IMail Forum] Cleaning hacked server
Check the W1 and W2 logs for the past several days. They are usually small and will show random activity of spiders, etc. If someone accesses their web account it will be listed in there. If someone attacks an account, it should be a significantly larger log file. Note, you need to have the proper level of logging enabled to see all of the activity. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steeley Sent: Thursday, October 30, 2008 08:57 To: imail_forum@list.ipswitch.com; Imail_Forum@list.ipswitch.com Subject: Re: [IMail Forum] Cleaning hacked server Thanks for the help. What log file would contain that information? -Original Message- From: Bruce Barnes [EMAIL PROTECTED] Sent 10/30/2008 9:48:10 AM To: Imail_Forum@list.ipswitch.com Subject: RE: [IMail Forum] Cleaning hacked server We had the same thing happen. It turns out the user used the password fluffy to secure their account. Check your logs - if you are running them - and you will see someone tried multiple passwords on the account and it probably didn't take very many tries for them to gain access. We cleaned the account and made the user change their password, and locked out web access for her because she never uses it, and have not had another problem. Bruce -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steeley Sent: Thursday, October 30, 2008 08:39 To: IMail_Forum@list.ipswitch.com Subject: [IMail Forum] Cleaning hacked server I'm assisting someone whose Imail server (9.23 running on 2003) has been hacked by a spammer. I don't think it's a relaying issue since the server is behind a Barracuda spam firewall that filters incoming email and rejects anything not addressed to the domain's users - the Barracuda logs show nothing. The server is not running on port 25 - the Barracuda is forwarding all email on a different port. If you go into User Manager you can see where an user account had been modified with a bogus Full Name and Return Address. The actual spam content was in the signature file and the hacked user account was used to send the spam email. The server is on a DMZ, with incoming ports tightly restricted - I've been searching the firewall and SMTP logs but can't figure out how the spammer is gaining access to Imail. Where do I need to be looking? Any help would be greatly appreciated. To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
