SMTP Auth log on success auth attempts?

SupraMario

• August 12, 2018 01:59

Hi everyone, Seems one of the hosting accounts on our box may have been compromised, most likely via a wordpress plugin, despite everything jailed / cloudlinux security on top / etc. However at this stage I'm not sure if its system wide or localised to a few accounts (localised makes more sense) One issue is, with one of the accounts, exim_mainlog is telling us that emails are coming from overseas source/origin ips, which means they must have the accounts password to authenticate and send. 2018-08-12 04:29:48 1foYdz-004khY-3H H=([95.180.194.202]) [95.180.194.202]:16119 Warning: "SpamAssassin as ACCOUNTNAME detected message as spam (33.3)" 2018-08-12 04:29:48 1foYdz-004khY-3H H=([95.180.194.202]) [95.180.194.202]:16119 Warning: Message has been scanned: no virus or other harmful content was found 2018-08-12 04:29:48 1foYdz-004khY-3H <= email@domain.com H=([95.180.194.202]) [95.180.194.202]:16119 P=esmtp S=3187 id=35A7EABD6278F035A7EABD6278F035A7@COFHCM8COF T="Enjoy?" for email@domain.com 2018-08-12 04:29:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1foYdz-004khY-3H 2018-08-12 04:29:48 1foYdz-004khY-3H => abbey R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 ULoyLBwrb1v+SREAlCdKhg Saved" 2018-08-12 04:29:48 1foYdz-004khY-3H Completed
My first thought was immediately "lets change the password" and these emails should stop in their tracks. Wrong, I changed the password and they did not stop, they're still coming through on the account apparently. Next I thought ok, well the server only requires access to a few incoming countries, so lets use cphulks country whitelist/blacklist to assist and start to block a series of countries. This seemed to help, the above block I included was one country I didn't have blacklisted. Which brings me to the question. Where or how does cpanel log smtp authentication attemps? I basically want to track if these users are sending mail via smtp with smtp auth or help identify if its another method. I'm really quite perplexed by this and interested to work out how emails coming through on this account even with the password changed.

• 

  SupraMario

  • August 12, 2018 07:01

  I should also mention, after noticing this, this one domain in question (in the block above) did not previously have DKIM + SPF enabled. That has been enabled now and then the next day the above record in the mail log showed its face.

  0
• 

  SupraMario

  • August 14, 2018 11:02

  Some more information to help. Shouldn't the spam/spoof email fail as there is no 'sender identification' like in the legitimate email that was sent below? Spam/Spoof Email - 2018-08-14 18:56:08 1fpV7U-00Ar73-NO H=([77.247.88.130]) [77.247.88.130]:10223 Warning: "SpamAssassin as dlicious detected message as spam (29.9)" 2018-08-14 18:56:08 1fpV7U-00Ar73-NO H=([77.247.88.130]) [77.247.88.130]:10223 Warning: Message has been scanned: no virus or other harmful content was found 2018-08-14 18:56:08 1fpV7U-00Ar73-NO <= abbey@DOMAIN.COM H=([77.247.88.130]) [77.247.88.130]:10223 P=esmtp S=2847 id=F7CC69794D52DC5D66C3D3E7F876F7CC@WVFR45JE24 T="Hello!" for abbey@DOMAIN.COM 2018-08-14 18:56:08 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1fpV7U-00Ar73-NO 2018-08-14 18:56:08 1fpV7U-00Ar73-NO => abbey R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 4LIxCSiZclsvdycAlCdKhg Saved" 2018-08-14 18:56:08 1fpV7U-00Ar73-NO Completed User Sending from Mail Client (LEGIT EMAIL) 2018-08-14 20:14:05 1fpWKP-00Azfp-VH <= abbey@DOMAIN.COM H=hostname.com (Abbeys-iMac.local) [xxx.xxx.xxx.xxx]:50005 P=esmtpa A=dovecot_plain:abbey@DOMAIN.COM S=3955106 id=8fd96336-fa1d-048a-4bee-c4c38f35025f@DOMAIN.COM T="Interior Design - Deb" for recipient@recipientdomain.com 2018-08-14 20:14:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1fpWKP-00Azfp-VH 2018-08-14 20:14:05 1fpWKP-00Azfp-VH Sender identification U=dlicious D=DOMAIN.COM S=abbey@DOMAIN.COM 2018-08-14 20:14:05 1fpWKP-00Azfp-VH SMTP connection outbound 1534241645 1fpWKP-00Azfp-VH DOMAIN.COM recipient@recipientdomain.com 2018-08-14 20:14:24 1fpWKP-00Azfp-VH => recipient@recipientdomain.com R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [74.125.203.27] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK 1534241664 p9-v6si18391159pff.30 - gsmtp"

  0
• 

  SupraMario

  • August 14, 2018 11:38

  Noticed that I didnt have any RBL's enabled on the system, so I've enabled the 2 defaults in cpanel exim and also added dnsbl.sorbs.net and b.barracuda.org to see if that helps with this issue as I noticed a lot of the ips that seem to be spoofing are blacklisted. Still doesn't answer the initial query of this ticket though.

  0
• 

  cPanelMichael

  • August 14, 2018 16:31

  Where or how does cpanel log smtp authentication attemps? I basically want to track if these users are sending mail via smtp with smtp auth or help identify if its another method.

  
  Hello @SupraMario, The information is logged to /var/log/exim_mainlog, however you may need to enable additional logging options. We have a guide on this at: Let me know if this helps. Thank you.

  0
• 

  SupraMario

  • August 14, 2018 21:01

  I can't see anywhere in that which mentions the issue I'm having. I want to be able to view the smtp authentication process, so I can see where the users are logging in from to verify if an account has been compromised or not. We can see incoming attempts via dovecot, but it seems exim only logs 'failed smtp authentication' attempts, with no reference/mention of a successful login. Based on the scenario above in this ticket, how am I supposed to identify if the origin of the email and if smtp authentication was used or another method used to send?

  0
• 

  SupraMario

  • August 14, 2018 21:10

  Actually I'll take that back, changing the log_selector to "+all" now includes an authentication / login name in the exim log file. P=esmtpa A=dovecot_plain:user@domain.com So i'll keep an eye on that and see if that assists with this issue.

  0

Please sign in to leave a comment.