Determine if Email account or server hacked

Bestrafung

• May 22, 2014 10:15

This morning there were a lot of SPAM email messages sent through our server from one of our clients' legitimate email accounts. I'm trying to determine whether it was their email account or the server itself that was hacked. If I go to Mail Delivery Reports > View Relayers I get about 34 pages of details for this account. One of the examples is provided below. It appears that the server is being used as a SMTP relay. As best I understand it this means the email account itself is compromised correct? Or could it be something else? I'm already changing the password while I continue to look into this. Event: success success User: xxxxxxx Domain: xxxxx.com Sender: vydox@pediting.me Sent Time: May 22, 2014 11:07:11 AM Sender Host: 03b553ef.pediting.me Sender IP: 198.98.122.186 Authentication: forwarder Spam Score: Recipient: xxxxxx@xxxxx.com Delivered To: xxxxxx@msn.com Delivery User: -remote- Delivery Domain: Router: lookuphost Transport: remote_smtp Out Time: May 22, 2014 11:07:11 AM ID: 1WnUb5-00008h-Et Delivery Host: mx2.hotmail.com Delivery IP: 65.55.92.136 Size: 5.59 KB Result: Message accepted

• 

  cPanelMichael

  • May 22, 2014 16:06

  Hello :) Search for the email address in /var/log/exim_mainlog using the "exigrep" utility to get a better idea of how the messages were sent out. EX: exigrep user@domain /var/log/exim_mainlog
  Also, if any of the messages are still in the queue, view the headers with a command such as: exim -Mvh messageID
  Thank you.

  0
• 

  Bestrafung

  • May 22, 2014 20:46

  [quote="cPanelMichael, post: 1649822">Hello :) Search for the email address in /var/log/exim_mainlog using the "exigrep" utility to get a better idea of how the messages were sent out. EX: exigrep user@domain /var/log/exim_mainlog
  Also, if any of the messages are still in the queue, view the headers with a command such as: exim -Mvh messageID
  Thank you.
  Thanks for the response. I changed the password for that account but after 20 minutes or so the spammers were at it again. I'm running a ClamAV scan on the user's home directory now. The client has already run full AV and malware scans on all workstations used to access this account. I'm still not sure what is going on. I'll include a sample output from "exigrep user@domain /var/log/exim_mainlog" as soon as scan finishes and the load returns to acceptable levels.

  0
• 

  coroy

  • August 20, 2014 18:30

  Me also encountered this kind of problem. Is there any command determine what file is executing or sending an email? Thank you.

  0
• 

  triantech

  • August 20, 2014 18:32

  Hello, - To list the folders from which mails can be generated ( will include valid scripts too ) # awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1 - To list which mail account is reporting highest activity : # exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n

  0

Please sign in to leave a comment.