Have you tried MySQLTuner yet? It's free and it makes optimizing your MySQL server easier than ever!

« Delete single iptables rules
Move domain between clients in Plesk »
10 02 2007

Finding compromised mail accounts in Plesk

Posted by: major in Mail, Plesk, Security

If odd bounced e-mails are coming back to the server or the server is listed in a blacklist, some accounts may be compromised on the server. Here’s how to diagnose the issue:

Read the queue and look for messages with funky senders or lots of recipients.

# /var/qmail/bin/qmail-qread
10 Feb 2007 07:31:08 GMT  #476884  10716  
        remote  debbarger@earthlink.net
        remote  debbiabbis@hotmail.com
        remote  debbiak@aol.com
        *** lots more recicpients below ***

This is a phishing e-mail being sent out to imitate PayPal. Now you need to find which IP is sending this e-mail, so grab the message ID and pass it to qmHandle:

# qmHandle -m476884 | less
Received: (qmail 20390 invoked from network); 10 Feb 2007 07:31:08 -0600
Received: from unknown (HELO User) (207.219.92.194)

In this case, the offender is from 207.219.92.194. Now we can dig for the login in /var/log/messages:

# grep -i 207.219.92.194 /var/log/messages
Feb 10 10:19:33 s60418 smtp_auth: SMTP connect from unknown@ [207.219.92.194]
Feb 10 10:19:33 s60418 smtp_auth: smtp_auth: SMTP user [USER] : /var/qmail/mailnames/[DOMAIN]/[USER] logged in from unknown@ [207.219.92.194]

Just for giggles, let’s find out what their password is:

# mysql -u admin -p`cat /etc/psa/.psa.shadow`
mysql> use psa;
mysql> select CONCAT(mail_name,"@",name) as email_address,accounts.password
from mail left join domains on domains.id=mail.dom_id left join accounts on
accounts.id=mail.account_id where mail_name like '[USER]';
+---------------------------+----------+
| email_address             | password |
+---------------------------+----------+
| [USER]@[DOMAIN]           | password |
+---------------------------+----------+
1 row in set (0.00 sec)

Well, ‘password’ isn’t a great password. Log into Plesk and change this password ASAP. To verify your work, tail /var/log/messages and you should see this:

# tail -f /var/log/messages
Feb 10 10:27:08 s60418 smtp_auth: SMTP connect from unknown@ [207.219.92.194]
Feb 10 10:27:08 s60418 smtp_auth: smtp_auth: FAILED: [USER] - password incorrect from unknown@ [207.219.92.194]

Big thanks goes to Jon B. and Mike J. for this.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • Reddit
  • Slashdot
  • StumbleUpon
  • Technorati
  • TwitThis

This entry was posted on Saturday, February 10th, 2007 at 10:35 am and is filed under Mail, Plesk, Security.You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “Finding compromised mail accounts in Plesk”
  1. madcat says: April 3rd, 2008 at 12:03 pm

    I’m not seeing the ’smtp_auth’ messages in /var/log/messages … In /var/log/secure, I am seeing

    Mar 30 04:55:35 hostname xinetd[4220]: START: smtp pid=19223 from=XXX.YYY.53.75

    (I changed the hostname and changed part of the IP address for privacy reasons)

    Can anybody help drive another nail into spam’s coffin? I would love to get something juicy like “/var/qmail/mailnames/[DOMAIN]/[USER] logged in from unknown” … it would be nice to know which account(s) is/are compromised. Thanks.

  2. madcat says: April 4th, 2008 at 6:09 pm

    I’ve done some more research, and it appears this might be due to people using STARTTLS . The traffic is encrypted, and the username used to login isn’t recorded anywhere that I can see. Does anybody know how to turn on logging for usernames when STARTTLS is used?

  3. trv says: April 14th, 2008 at 7:15 am

    i’d like the answer to the madcat’s comments too! Any help? :)

  4. sublime says: August 7th, 2008 at 6:56 pm

    trv, madcat: Sometimes the smtp_auth entries are in the maillog rather than the messages log. Try looking in $PRODUCT_ROOT_D/var/log/maillog . $PRODUCT_ROOT_D is defined in /etc/psa/psa.conf (in RHEL country).

Leave a Reply

You must be logged in to post a comment. Login »