Potentially compromised account
Hi Guys,
Can someone give me some pointer on dealing with an account that is constantly sending mail. I'd like to understand what is happening and how to stop it.
The account is an account from a re-seller, I have reset the password twice in the last few days to a 10 char strong password, but this has not helped. I have emptied the queue, and removed the emails, still not stopped it.
------------------------
Currently I can see 43 mails in the queue:
43
-------------------------
Emails Alerts received:
The following users sent mail with SMTP auth over 100 times in the past hour (Jul 31 14:00):
dbstudios@domain.tld[/EMAIL] 263
The following users sent mail with SMTP auth from more than 3 hosts in the past hour:
dbstudios@domain.tld[/EMAIL] 8
They are potentially compromised accounts being used for spamming. Please check and suspend if required.
[Removed - Please Exclude Real Domain Names and IP Addresses When Pasting Logs]
Thanks
Paul
-
Hi, The information you gave tell that the mails are send through SMTP auth, so you have to check which script in the account is exactly triggering it. Check the logs: # cat /var/log/exim_mainlog | grep | grep public_ 0 -
Hello, I have grepped the maillog files but have no entries for this client. Also this account does not have a web or php directory when using find in the resellers directory I can only see entries for mail. Interestingly this morning I have no warning emails, the last one was last night at 17:00 This mornings log looks like below. I can see imap-login: Login: user= however since I change the password is this a successful connection? I am also seeing spam being sent is this perhaps spoofed mails that are returning to me? - Removed - 0 -
Hello, Could you review the link below and verify if any of the solutions on those threads help in your case? outgoingspam | cPanel Forums Thank you. 0
Please sign in to leave a comment.
Comments
3 comments