Email accounts exploited on a schedule
I'm having a strange issue. One of my cPanel accounts (with 4 mail accounts) is being exploited every week. Like clockwork, Monday morning, first thing.
Mail is being sent from SMTP from their accounts.
This is the fifth week it has happened, and I'm not sure how it is happening. We have done the following:
1. Verify password strength, passwords are random letters, characters, and numbers, 16-18 characters long.
2. The client does not know their passwords. Their computer guy put it in their Outlook and I put it into their phones. (No device has all 4 passwords on it, so one device can't be at fault)
3. Passwords are transported securely between us technical people, we've used a different method after each event.
4. We wiped all of the workstations involved and done a clean install of Windows 7, and a stronger virus scanner.
5. We've checked their network for an intrusion.
6. The server is using TLSv1.2 only for SMTP.
7. Their website is a clean simple PHP site, with no exploits. I manually scanned it and looked for hack files.
8. Their passwords are exploited, not changed. Hackers are logging into Exim and sending mail. (from a botnet of about 2200 machines/IPs.)
9. This account was moved to our most secure PCI complaint server after the first event.
10. The two technical people involved have been working together for 12 years, so it isn't an inside job. I run the servers, he does PC support and is 100% trusted.
Given all of that, I see no way for hackers to hack these accounts. If it was a server exploit, it would have to be two of our servers, then why only attack this one account.
I doubt this is personally targeted at this client, all that is happening is spam is being sent. If they are getting their email passwords, they could do far worse.
What am I missing here?
-
Hello, To confirm all machines that are running outlook have been confirmed to be clean? Also have you checked their crontab to ensure a cronjob wasn't present on the account before it was moved as well as can you ensure the contact information for the domain is valid? Thanks! 0 -
I'm having a strange issue. One of my cPanel accounts (with 4 mail accounts) is being exploited every week. Like clockwork, Monday morning, first thing. Mail is being sent from SMTP from their accounts. This is the fifth week it has happened, and I'm not sure how it is happening. We have done the following: 1. Verify password strength, passwords are random letters, characters, and numbers, 16-18 characters long. 2. The client does not know their passwords. Their computer guy put it in their Outlook and I put it into their phones. (No device has all 4 passwords on it, so one device can't be at fault) 3. Passwords are transported securely between us technical people, we've used a different method after each event. 4. We wiped all of the workstations involved and done a clean install of Windows 7, and a stronger virus scanner. 5. We've checked their network for an intrusion. 6. The server is using TLSv1.2 only for SMTP. 7. Their website is a clean simple PHP site, with no exploits. I manually scanned it and looked for hack files. 8. Their passwords are exploited, not changed. Hackers are logging into Exim and sending mail. (from a botnet of about 2200 machines/IPs.) 9. This account was moved to our most secure PCI complaint server after the first event. 10. The two technical people involved have been working together for 12 years, so it isn't an inside job. I run the servers, he does PC support and is 100% trusted. Given all of that, I see no way for hackers to hack these accounts. If it was a server exploit, it would have to be two of our servers, then why only attack this one account.
@Serra If you go to the official Microsoft website search for the Fiddler download. I have used this on XP and Windows 7 Basic. What it does is shows you live raw traffic info coming and going out of your computer/workstation. Take a few days to learn it and then run it on Monday or any other days for that matter. You should be able to catch enough details about where the traffic is coming/going from your workstations.0 -
To confirm all machines that are running outlook have been confirmed to be clean? Also have you checked their crontab to ensure a cronjob wasn't present on the account before it was moved as well as can you ensure the contact information for the domain is valid?
The computer guy did scan both Windows machines and found nothing. I didn't check their crontab, but it is empty, just checked. The contact info on the domain is fine. It's in my GoDaddy account. Also the site was scanned for viruses and CXS scanned it as well when it was moved.0 -
@Serra If you go to the official Microsoft website search for the Fiddler download. I have used this on XP and Windows 7 Basic. What it does is shows you live raw traffic info coming and going out of your computer/workstation. Take a few days to learn it and then run it on Monday or any other days for that matter. You should be able to catch enough details about where the traffic is coming/going from your workstations.
After the first attack, we installed Glasswire on the machines to look for anything that was communicating out and found nothing, after checking each week after the event. The two machine (it would require access to two machines to get the three passwords that were exploited) were totally clean. Nothing found on scans and no strange communication found in Glasswire. We also checked for Evil Maid Attacks, and only one person had access, he is a cleaning guy who is around 70, they are pretty sure he doesn't even use computers and it is doubtful he would be in league with a huge botnet.0 -
Hi @Serra This is definitely an interesting situation. What do the emails look like? Do you have the headers available? If you do and you post them please remove any identifying information. Thanks! 0 -
This is definitely an interesting situation. What do the emails look like? Do you have the headers available? If you do and you post them please remove any identifying information.
Here is the header:Received: from [39.44.xxx.xxx] (port=17873 helo=10.0.0.54) by mag.ourserver.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from ) id 1fcUGd-004HRU-LO for CNN_Report@example.us; Mon, 09 Jul 2018 06:23:44 -0500 Date: Mon, 09 Jul 2018 16:23:42 +0500 From: Gail Pitzl To: CNN_Report@example.us Message-ID: <25369022612.201879112342@example.us> Subject: Invoice 5799553 from Gail Pitzl MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_005C_B6069156.A0C16F91"
The messages are a mix of these 'your invoice' type of email that contains a text attachment with a link to a scam site. In the past, they were sending doc files with infection macros, but this latest batch is text files.Your invoice is attached. Please remit payment at your earliest convenience. Thank you for your business - we appreciate it very much. http://www.domain.pl/files/EN_en/STATUS/Invoice/ CNN Report Regards Gail Pitzl From: 39.44.xxx.xxx Karachi Sindh PK AS45595 Pakistan Telecom Company Limited
The botnet that is logging in has over 2000 machines and they all try to log in when it starts failing. My temporary block list had 2200 IPs on it last week from them!0 -
If you have WHM Root access try this: 1. Run Security Advisor it has a warning that will show if your email server is exposed improperly to the public. In the warning it will say something like ''your smpt/exim settings are exposing your email server which could allow someone to relay emails using your server'' If you see any warnings, they will also show how to fix the issue. 0 -
If you have WHM Root access try this: 1. Run Security Advisor it has a warning that will show if your email server is exposed improperly to the public. In the warning it will say something like ''your smpt/exim settings are exposing your email server which could allow someone to relay emails using your server'' If you see any warnings, they will also show how to fix the issue.
One warning under advisor, Kernel Care hasn't updated yet, but it takes a day or two to catch up each time. Everything else is green. The server is secure and passes PCI compliance. Good advice though, but the server is not an open relay, these spammers have login credentials. The second I change them, they get popped by cpHulk.0 -
What about an App on the phone that has elevated privileges? Since most Apps have contact permissions a rogue App may be used to trigger the botnet, since their are passwords installed on the phone. 0 -
What about an App on the phone that has elevated privileges? Since most Apps have contact permissions a rogue App may be used to trigger the botnet, since there are passwords installed on the phone.
We suspected that too, but three email, sometimes four, address are constantly exploited. None of the three/four addresses are on one device, not a phone, desktop, tablet or laptop. It is unlikely that a phone or tablet, they use both, is a single point of exploit. We suspected a WiFi hack or a Router exploit, but scans don't show any MITM attacks on the network or WiFi.0 -
It seems to me that after ruling out all devices, humans and software configs the only point left is the email server. 0 -
Is it always this user? From: Gail Pitzl
Regardless of what scans say as none of them are 100% I wonder if you would at least be able to narrow it down to where the compromise is coming from by changing the password for the mail user, then leaving it as such until Monday to see if the issue reoccurs. If it does you know there's some form of compromise in the user's account on the server if it doesn't you know its a device or workstation.0 -
It seems to me that after ruling out all devices, humans and software configs the only point left is the email server.
\ Technically, it was on one server, after the second exploit we moved it to our most secure server. So, seems it would be TWO servers. So, that being the case, I wonder what on the email server would allow this to happen. Passwords shouldn't be recoverable from an email server.0 -
What about Outlook? Look in the settings to see if Outlook is scheduled to retrieve emails from an unkwown IP or Host and send them on Monday. 0 -
Is it always this user?
From: Gail Pitzl
Regardless of what scans say as none of them are 100% I wonder if you would at least be able to narrow it down to where the compromise is coming from by changing the password for the mail user, then leaving it as such until Monday to see if the issue reoccurs. If it does you know there's some form of compromise in the user's account on the server if it doesn't you know its a device or workstation.
We did a little of that. Since we were worried the exploit might be internal to my network or my computer guy's network, we sent the passwords 4 different ways. That didn't help. We also created two bogus email accounts with fairly simple passwords, used webmail from their office and ours. I also put the passwords for them in every place we used to transfer passwords in the past. Both accounts remained secure, despite dropping and emailing passwords for them all over the place. I agree that no scanner is 100%, so we literally wiped all the computers in the client's office and reloaded everything from scratch. Even after that, this week they were still exploited.0 -
What about Outlook? Look in the settings to see if Outlook is scheduled to retrieve emails from an unkwown IP or Host and send them on Monday.
Wow, that is good! But, it would need to be two Outlooks on two machines that had been wiped and the operating system reinstalled. The only thing we didn't do was chop the old computers into bits and install new ones! There were no outgoing emails from the exploited systems until they were exploited, then they started sending a bunch. No, initial email that could contain the password went out. I just went over the log and it appears that nothing when out for 12 hours prior to the exploit, it was just normal business mail to addresses they send to all of the time.0 -
I have formatted drives hundreds of times. But each time after the OS reinstall i had a handful of programs i would install each time. But i always installed new versions with no saved settings. Any of the software that you reinstall after formatting should be checked for settings if you also installed old saved settings. Microsoft uses Active-x in its software meaning one software can be easily manipulated to control another. 0 -
Personally i have never trusted email programs on my computer or phone. Since you have cPanel and Email services, why not skip Outlook and set up your client(s) with cPanels Roundcube email services? All of this is easily done in cPanels Shared, Cloud, VPS or Dedicated plans. This eliminates the opportunity for client side negative actions, intentional or not. Also in cPanel they have an excellent email filtering system. I use it heavily to monitor emails coming and going to my accounts. It is very user friendly. 0 -
@Serra Just wanted to offer a pat on the back for an excellent analysis and actions shown by you in your first post. 0 -
@Serra Just wanted to offer a pat on the back for an excellent analysis and actions shown by you in your first post.
Thanks. I spent a long time working as a systems analyst in my prior career.0 -
Personally i have never trusted email programs on my computer or phone. Since you have cPanel and Email services, why not skip Outlook and set up your client(s) with cPanels Roundcube email services? All of this is easily done in cPanels Shared, Cloud, VPS or Dedicated plans. This eliminates the opportunity for client side negative actions, intentional or not. Also in cPanel they have an excellent email filtering system. I use it heavily to monitor emails coming and going to my accounts. It is very user friendly.
There is a question about the one PC that was wiped 4 weeks ago. It appears that it was not wiped but actually restored from a backup. We were told it was wiped, but the tech that did it doesn't seem to know the difference between a wipe and reinstall and a restore from a backup. We told him we were concerned that might be infected, so he felt restoring it from a backup was the best solution. His boss has cleared up that situation for him. Both machines were actually wiped last week. (prior to the latest exploit).0 -
just out of curiosity, have you changed the cpanel/ftp password? Hacker could change your email account password if they gain access to your cpanel/ftp. Have you checked the cpanel and ftp access log to see any suspicious? 0 -
just out of curiosity, have you changed the cpanel/ftp password? Hacker could change your email account password if they gain access to your cpanel/ftp. Have you checked the cpanel and ftp access log to see any suspicious?
1. Yes, I changed the cPanel login password and looked at the access log to ensure no one had logged in. It was clean. 2. The passwords were not updated. The users were still able to access their mail during the exploit, so the password remained the same. 3. I check the FTP logs specifically to see that no one was uploading. However, since the passwords were not changed, I'm thinking that was not an issue. My client got an email today someone had accessed their Outlook365 account and tried to SMTP. So now that password has been exploited. That wasn't in Outlook nor any other program, that came from a keylogger or worse. That prompted me to take actions into my own hands. So, it looks like Windows Defender is off and they have no virus scanner on the client's PC now. Most likely the guy who was setting up the computer just hasn't reinstalled them yet. He was there for like 6 hours and I assume he left when it got late, without finishing. I installed Kaspersky FREE and immediately the alarm bells started going off. 5 Trojan files found a deleted. (On a fresh install of two days ago). I also found the old user directories copied from a backup and the whole Windows directory called Windows.old with all of the original Trojans preinstalled. Needless to say, I'm livid. None of this fits with what I've been told or their client was told, was being done. I'm now confident that the problem was caused by Trojans on the original Windows and then a reinstall of Windows by a tech who wasn't being careful not to reinfect the system. I also found out today that the main tech, who told me he would check the router and verify there was no ARP poisoning just forgot to do that and it wasn't done until today. He didn't get back with me, so I assume he didn't see anything wrong, but that was a major possibility that should have been ruled out a long time ago. So, failure after failure by the junior tech is what seemed to have caused this issue. I hope it was a learning lesson for him. He boss is a friend of mine, so I don't want my client to fire the company... but I'm writing an email now.0
Please sign in to leave a comment.
Comments
23 comments