How can I know how an email account was breached?

Rafael Alvarez

• October 13, 2016 12:38

Hi, it seems that a spammer cracked an email account an all my SMTP relays were consumed. My server is a VPS CentOS. I have taken every prevention method I have found on the CPanel documentation and still it happened, everything here is covered: Sender:notificaciones@example.com.mx Sent Time: Oct 13, 2016 10:40:10 AM Sender Host: [Removed] Sender IP: [Removed] Authentication: dovecot_login Spam Score: 2.8 Recipient: someusr@hotmail.com[/EMAIL] Delivered To: Delivery User: Delivery Domain: Router: send_to_smart_host Transport: remote_smtp
Using this script on SSH I found out an email account I own francisco.gonzalez@example.com[/EMAIL] has send more than 9,000 emails:
perl -lsne '/$today.* \[([0-9.]+)\]:.+dovecot_(?:login|plain):([^\s]+).* for (.*)/ and $sender{$2}{r}+=scalar (split / /,$3) and $sender{$2}{i}{$1}=1; END {foreach $sender(keys %sender){printf"Recip=%05d Hosts=%03d Auth=%s\n",$sender{$sender}{r},scalar (keys %{$sender{$sender}{i}}),$sender;}}' -- -today=$(date +%F) /var/log/exim_mainlog | sort
42001 I want to find out how that account was breached in order to prevent further attacks. Any guess? Any help will be really appreciated. Thank you.

• 

  cPanelMichael

  • October 14, 2016 18:26

  I want to find out how that account was breached in order to prevent further attacks. Any guess?

  
  Hello, Could you verify if cPHulk brute force protection is enabled on this system? You can review entries in /var/log/maillog for that email account with a command such as:
  grep user@domain /var/log/maillog
  Look for high amounts of authentication failures that would suggest the email account's password was brute forced. Thank you.

  0
• 

  Rafael Alvarez

  • October 14, 2016 23:50

  Hi Michael, thank you very much for answering. Yes, CPHulk is enabled. I reviewed the logs like you advised me and found this auth errors, however they were at the same time that IP sent some malicious mails (it sent 4 on October 12th at 3:24:15 PM and then stopped to continue the next day). - Removed - I used grep with the attacker's IP (grep user@domain /var/log/maillog) and got this: - Removed - It seems that IP also tried to log to other accounts, but since CPHulk is enabled and I don't see many login attempts I think a brute force attack is unlikely, or am I wrong?

  0
• 

  cPanelMichael

  • October 24, 2016 19:57

  Hello, It looks like the output you provided was moderated. Could you post the output again, ensuring to remove any identifying information about the server, IP addresses, or domain names? You can post the relevant entries instead of the full output. Thank you.

  0

Please sign in to leave a comment.