Finding compromised mail accounts in Plesk

If odd bounced e-mails are coming back to the server or the server is listed in a blacklist, some accounts may be compromised on the server. Here's how to diagnose the issue:

Read the queue and look for messages with funky senders or lots of recipients.

# /var/qmail/bin/qmail-qread
10 Feb 2007 07:31:08 GMT  #476884  10716  
        remote  debbarger@earthlink.net
        remote  debbiabbis@hotmail.com
        remote  debbiak@aol.com
        *** lots more recicpients below ***

This is a phishing e-mail being sent out to imitate PayPal. Now you need to find which IP is sending this e-mail, so grab the message ID and pass it to qmHandle:

# qmHandle -m476884 | less
Received: (qmail 20390 invoked from network); 10 Feb 2007 07:31:08 -0600
Received: from unknown (HELO User) (207.219.92.194)

In this case, the offender is from 207.219.92.194. Now we can dig for the login in /var/log/messages:

# grep -i 207.219.92.194 /var/log/messages
Feb 10 10:19:33 s60418 smtp_auth: SMTP connect from unknown@ [207.219.92.194]
Feb 10 10:19:33 s60418 smtp_auth: smtp_auth: SMTP user [USER] : /var/qmail/mailnames/[DOMAIN]/[USER] logged in from unknown@ [207.219.92.194]

Just for giggles, let's find out what their password is:

# mysql -u admin -p`cat /etc/psa/.psa.shadow`
mysql> use psa;
mysql> select CONCAT(mail_name,"@",name) as email_address,accounts.password
from mail left join domains on domains.id=mail.dom_id left join accounts on
accounts.id=mail.account_id where mail_name like '[USER]';
+---------------------------+----------+
| email_address             | password |
+---------------------------+----------+
| [USER]@[DOMAIN]           | password |
+---------------------------+----------+
1 row in set (0.00 sec)

Well, 'password' isn't a great password. Log into Plesk and change this password ASAP. To verify your work, tail /var/log/messages and you should see this:

# tail -f /var/log/messages
Feb 10 10:27:08 s60418 smtp_auth: SMTP connect from unknown@ [207.219.92.194]
Feb 10 10:27:08 s60418 smtp_auth: smtp_auth: FAILED: [USER] - password incorrect from unknown@ [207.219.92.194]

Big thanks goes to Jon B. and Mike J. for this.

This entry was posted on 10/02/2007 (Saturday) at 10:35 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.
Printed from: http://rackerhacker.com/2007/02/10/finding-compromised-mail-accounts-in-plesk/ .
© Major Hayden 2012.

7 Comments   »

  • madcat says:
    03.04.08 at 12:03

    I'm not seeing the 'smtp_auth' messages in /var/log/messages ... In /var/log/secure, I am seeing

    Mar 30 04:55:35 hostname xinetd[4220]: START: smtp pid=19223 from=XXX.YYY.53.75

    (I changed the hostname and changed part of the IP address for privacy reasons)

    Can anybody help drive another nail into spam's coffin? I would love to get something juicy like "/var/qmail/mailnames/[DOMAIN]/[USER] logged in from unknown" ... it would be nice to know which account(s) is/are compromised. Thanks.

  • madcat says:
    04.04.08 at 18:09

    I've done some more research, and it appears this might be due to people using STARTTLS . The traffic is encrypted, and the username used to login isn't recorded anywhere that I can see. Does anybody know how to turn on logging for usernames when STARTTLS is used?

  • trv says:
    14.04.08 at 07:15

    i'd like the answer to the madcat's comments too! Any help? :)

  • sublime says:
    07.08.08 at 18:56

    trv, madcat: Sometimes the smtp_auth entries are in the maillog rather than the messages log. Try looking in $PRODUCT_ROOT_D/var/log/maillog . $PRODUCT_ROOT_D is defined in /etc/psa/psa.conf (in RHEL country).

  • trv says:
    20.08.08 at 13:44

    sublime: nope, there is no smpt_auth lines in maillog neither.
    In maillog, i can find only entries like this:

    Aug 18 23:26:02 113513-web1 relaylock: /var/qmail/bin/relaylock: mail from {OFFENDING_IP}:1667 (not defined)

    After this entry, there is the maillog for the message that is received by this IP, but can't find how did it get there.

  • Admire says:
    03.07.09 at 06:00

    Hi,
    for some users I get smtp_auth: SMTP user [USER] @ [DOMAIN] but for some I get only smtp_auth: SMTP user [USER], no info from which domain. Anyone knows how to deal with that?

  • Matt says:
    12.10.10 at 15:00

    Great work by the way, i'm an avid follower but I do have a question. What is instead of an external IP I get 127.0.0.1. How can I track down the user or file sending the mails?


RSS feed for comments on this post

Leave a Reply

 

  • Welcome! I started this blog as a way to give back to all of the other system administrators who have taught me something in the past. Writing these posts brings me a lot of enjoyment and I hope you find the information useful. If you spot something that's incorrect or confusing, please write a comment and let me know. Drop me a line if there's something you want to know more about and I'll do my best to write a post on the topic.
    -- Major Hayden

    Flattr this