1 Topic by bigweb

  • bigweb
  • Member
  • Offline
  • Registered: 2017-08-14
  • Posts: 29

Topic: Server got hacked sendning spam !

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? YES
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====


Hi , we just got hit by a situation where our server was used to send thousands of emails (and still going)  in log i see:

Jun  4 11:32:15 mxc postfix/qmgr[2040]: 7999063592F: from=<info@viphgroup.com.vn>, size=36426, nrcpt=1 (queue active)
Jun  4 11:32:15 mxc postfix/qmgr[2040]: CA1CE6373AC: from=<info@viphgroup.com.vn>, size=36440, nrcpt=1 (queue active)
Jun  4 11:32:15 mxc postfix/qmgr[2040]: 2DF06643551: from=<info@viphgroup.com.vn>, size=37402, nrcpt=1 (queue active)
Jun  4 11:32:15 mxc postfix/qmgr[2040]: 1C0326481EA: from=<info@viphgroup.com.vn>, size=36433, nrcpt=1 (queue active)
Jun  4 11:32:15 mxc postfix/qmgr[2040]: E73F36311E8: from=<info@viphgroup.com.vn>, size=36461, nrcpt=1 (queue active)
Jun  4 11:32:15 mxc amavis[5325]: (05325-08) Passed SPAM {RelayedTaggedInbound}, [209.222.100.166]:61291 [209.222.100.166] <info@viphgroup.com.vn> -> <daijun0520@163.com>, Queue-ID: 2E58362B63C, mail_id: 9xM2pJqUDT8R, Hits: -, size: 3644
7, queued_as: 003C862B43E, 399 ms
Jun  4 11:32:15 mxc amavis[5254]: (05254-12) Passed SPAM {RelayedTaggedInbound}, [209.222.100.166]:58009 [209.222.100.166] <info@viphgroup.com.vn> -> <284982557@qq.com>, Queue-ID: 6F0545DEDF2, mail_id: vY52KnatV-H0, Hits: -, size: 36433,
 queued_as: EE89062AD9E, 624 ms
Jun  4 11:32:15 mxc amavis[5279]: (05279-11) Passed SPAM {RelayedTaggedInbound}, [209.222.100.166]:60141 [209.222.100.166] <info@viphgroup.com.vn> -> <boviad@163.com>, Queue-ID: EED65631103, mail_id: NISNQrL4IFnA, Hits: -, size: 36419, q
ueued_as: EE8E862AFD4, 542 ms
Jun  4 11:32:15 mxc amavis[5265]: (05265-11) Passed SPAM {RelayedTaggedInbound}, [209.222.100.166]:57047 [209.222.100.166] <info@viphgroup.com.vn> -> <123465798@qq.com>, Queue-ID: 2D8AB62E8CF, mail_id: wlP9395HOGXZ, Hits: -, size: 36433,
 queued_as: F35C662B41D, 541 ms
Jun  4 11:32:15 mxc amavis[5291]: (05291-10) Passed SPAM {RelayedTaggedInbound}, [209.222.100.166]:61741 [209.222.100.166] <info@viphgroup.com.vn> -> <donovan@cruzers.com>, Queue-ID: 0A14564969F, mail_id: IxVoJE3vPx2o, Hits: -, size: 364
54, queued_as: EE96562B223, 537 ms
Jun  4 11:32:15 mxc amavis[5403]: (05403-02) Passed SPAM {RelayedTaggedInbound}, [209.222.100.166]:60417 [209.222.100.166] <info@viphgroup.com.vn> -> <catlcastle@gmail.com>, Queue-ID: 76DDB62DCEF, mail_id: 9kS8lqxn3PE0, Hits: -, size: 36
461, queued_as: EEFA762B2E0, 536 ms

I added IP and @viphgroup.com.vn and trying to remove mails form queue , but it seems like they are not ending ! . Weirdly  - in ired panel - i dont see ANY of those emails ! Says :
    Received     1455
    Sent     347
    Virus     2
    Quarantined     0

However it sent alreayd more than 50K emails this morning  !
Can anyone advice on how to fix/debug this hack ?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Server got hacked sendning spam !

Use script "find_top_sasl_usernames.sh" below to find the username used to perform most smtp auth:
https://bitbucket.org/zhb/iredmail/src/ … ail/tools/

It's very possible that the one performed most smtp auth is the spammer, you can reset its password to stop it.

3 Reply by saquib.akhtar

  • saquib.akhtar
  • saquib.akhtar
  • Member
  • Offline
  • From: INDIA
  • Registered: 2018-02-20
  • Posts: 110

Re: Server got hacked sendning spam !

The same issue yesterday I have Faced,,,

The IP address from all over the world have been used to connect sasl_smtp authentication and then deliver spam messages in huge amount!!

The postfix service got down!!

What could be done to trace the malicious thing?? Is it a script or someone has hacked mail accounts ???

I disabled the user account as soon as alert came but then another ID started sending spam mails...

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Server got hacked sendning spam !

saquib.akhtar wrote:

I disabled the user account as soon as alert came but then another ID started sending spam mails...

Does resetting its password or disabling this account fix the (outbound) spamming issue? if yes, it means this account password was cracked.

5 Reply by saquib.akhtar

  • saquib.akhtar
  • saquib.akhtar
  • Member
  • Offline
  • From: INDIA
  • Registered: 2018-02-20
  • Posts: 110

Re: Server got hacked sendning spam !

ZhangHuangbin wrote:
saquib.akhtar wrote:

I disabled the user account as soon as alert came but then another ID started sending spam mails...

Does resetting its password or disabling this account fix the (outbound) spamming issue? if yes, it means this account password was cracked.


Yes when I  disabled those accounts and changed password the issue was resolved but still smtp connection tries are being made to that account as logs indicate ,,, what can be done ??

Only 5 accounts was targeted randomly,, can any malicious script do that??

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Server got hacked sendning spam !

Just use a strong password should be fine, don't let the password be cracked.

7 Reply by saquib.akhtar

  • saquib.akhtar
  • saquib.akhtar
  • Member
  • Offline
  • From: INDIA
  • Registered: 2018-02-20
  • Posts: 110

Re: Server got hacked sendning spam !

ZhangHuangbin wrote:

Just use a strong password should be fine, don't let the password be cracked.


Still I can see some malicious IP trying to establish the connection,, what to do in that case??
Use fail2ban or is there any other solution??

8 Reply by sayso

  • sayso
  • Member
  • Offline
  • Registered: 2018-03-03
  • Posts: 43

Re: Server got hacked sendning spam !

strong passwords and fail2ban are the best deterrent. fail2ban adds it's own headaches with users who can't figure out how to type their passwords but it's a necessary evil to prevent bots from cracking passwords.