Topic: Save but clear mail logs - I think I've been hacked

[charlien]

I've been receiving hundreds of email bounces daily that I have thought was from someone hacking their mail header with my email address and had nothing to do my mail server. But TWC is blocking access to their mail server now. Also, I looked at my mail logs and see thousands of email I supposedly sent but I didn't. So I think either my network has an infected PC or someone is sending email through my system.

I plan to change my server to require local SMTP authorization as well as make sure it is not an open replay.

I'd like to clear my logs to get a fresh look to see if anything is helping. Can someone give me any suggestions? This is my home server and only supports a couple email accounts/users.

[brianr]

Most likely you have a compromised PC on your network.

You ought not to clear logs - they may contain useful information for the future, but you can monitor the log in which you see the activity after taking each PC off your network until you find the offender.  All logs are time and date stamped, so you can see what is happening now as distinct from then.

[janet]

charlien

log files are automatically rotated so no need to delete them. When viewed using server manager View log files panel, log entries will be in date and time order.

take a look at qpsmtpd and sqpsmtpd log files to see where the emails are coming from.

unplug your LAN PCs to see if that stops mail being sent.

do you have any web sites hosted on the server ? are they running php software etc, they may have been hacked and are generating mail
temporarily disable the ibay containing the web site ie disable public web access

[charlien]

Thanks for the advice. I looked at the logs and my LAN activity looks normal. I can identify the email activity. My WAN connection is another story. I have thousands of connections that are connecting with my email address and they appear to be accepted and sent out without any authentication. I checked and "RelayRequiresAuth=enabled" so shouldn't my password be required?

Also I have thousands of connections like this from a handful of IP addresses:

Accepted connection 2/40 from 104.243.24.156 / Unknown
2015-11-13 13:17:40.813937500 55654 Connection from Unknown [104.243.24.156]
2015-11-13 13:17:40.816466500 55654 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-11-13 13:17:40.819868500 55654 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-11-13 13:17:40.830593500 55654 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-11-13 13:17:41.840289500 55654 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
2015-11-13 13:17:41.845344500 55654 220 [BLANKED OUT] ESMTP
2015-11-13 13:17:41.903933500 55654 dispatching EHLO ylmf-pc
2015-11-13 13:17:41.906117500 55654 250-[BLANKED OUT] Hi Unknown [104.243.24.156]
2015-11-13 13:17:41.906183500 55654 250-PIPELINING
2015-11-13 13:17:41.906228500 55654 250-8BITMIME
2015-11-13 13:17:41.906307500 55654 250-SIZE 15000000
2015-11-13 13:17:41.906353500 55654 250 STARTTLS
2015-11-13 13:17:41.956042500 55654 dispatching AUTH LOGIN
2015-11-13 13:17:41.956369500 55654 count_unrecognized_commands plugin (unrecognized_command): Unrecognized command 'auth'
2015-11-13 13:17:41.956573500 55654 500 Unrecognized command
2015-11-13 13:17:42.064174500 1950 cleaning up after 55654

I have not idea what they are doing but I suspect this is not normal.

I think my problem is the result of someone externally being able to send email from my server. Any help would be appreciated.

[janet]

charlien

Change your User password and the sme server admin passwords to really strong ones IMMEDIATELY. At least 10 characters long include upper & lower case numbers and special characters.

In server manager Email panel, ONLY enable secure smtp and secure IMAP on ports 465 & 993 asap.

Disable VPN access temporarily
Disable ssh remote access temporarily
Configure remote ssh access ONLY using public private keys,, read the Howto.
Disable remote server manager access, best to use a ssh tunnel to access server manager.

You did not answer if you have active web sites in ibays.
Disable all web access to ibays temporarily, do this in the ibays panel.





 

[charlien]

charlien

Change your User password and the sme server admin passwords to really strong ones IMMEDIATELY. At least 10 characters long include upper & lower case numbers and special characters.

In server manager Email panel, ONLY enable secure smtp and secure IMAP on ports 465 & 993 asap.

Disable VPN access temporarily
Disable ssh remote access temporarily
Configure remote ssh access ONLY using public private keys,, read the Howto.
Disable remote server manager access, best to use a ssh tunnel to access server manager.

You did not answer if you have active web sites in ibays.
Disable all web access to ibays temporarily, do this in the ibays panel.

Janet, I was in the process of removing the websites I had set up for testing since I didn't need them. By "disable remote server management access" you mean for outside my network, correct? Also, you say to "ONLY enable secure smtp and secure IMAP on ports 465 & 993 asap". Did you mean "pop3" instead of "smtp"?

I assume I have a lot of messages queued to be sent when I am allowed access to TWC mail servers. Is there a way to empty the queue? There is nothing I can't live without.

Again, I thank you.

[janet]

charlien

By "disable remote server management access" you mean for outside my network, correct?

Yes

Also, you say to "ONLY enable secure smtp and secure IMAP on ports 465 & 993 asap". Did you mean "pop3" instead of "smtp"?

No, I meant SMTP, ie access to the SME server SMTP mail server.
You should not be using POP these days, it is no longer appropriate for supporting multiple devices accessing mail.

I assume I have a lot of messages queued to be sent when I am allowed access to TWC mail servers. Is there a way to empty the queue? There is nothing I can't live without.

Install the qmHandle contrib, IIRC it adds a web panel, but best use is made of it at the command line.
Read the instructions before using it.

You MUST disable qmail BEFORE deleting any messages from the mail queue, & enable qmail after finished deleting messages.
If you fail to disable qmail before doing queue deletions, you will seriously mess up the server & probably need to reinstall the OS etc.

[ReetP]

Also I have thousands of connections like this from a handful of IP addresses:

Accepted connection 2/40 from 104.243.24.156 / Unknown
2015-11-13 13:17:40.813937500 55654 Connection from Unknown [104.243.24.156]
2015-11-13 13:17:40.816466500 55654 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-11-13 13:17:40.819868500 55654 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-11-13 13:17:40.830593500 55654 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-11-13 13:17:41.840289500 55654 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
2015-11-13 13:17:41.845344500 55654 220 [BLANKED OUT] ESMTP
2015-11-13 13:17:41.903933500 55654 dispatching EHLO ylmf-pc
2015-11-13 13:17:41.906117500 55654 250-[BLANKED OUT] Hi Unknown [104.243.24.156]
2015-11-13 13:17:41.906183500 55654 250-PIPELINING
2015-11-13 13:17:41.906228500 55654 250-8BITMIME
2015-11-13 13:17:41.906307500 55654 250-SIZE 15000000
2015-11-13 13:17:41.906353500 55654 250 STARTTLS
2015-11-13 13:17:41.956042500 55654 dispatching AUTH LOGIN
2015-11-13 13:17:41.956369500 55654 count_unrecognized_commands plugin (unrecognized_command): Unrecognized command 'auth'
2015-11-13 13:17:41.956573500 55654 500 Unrecognized command
2015-11-13 13:17:42.064174500 1950 cleaning up after 55654

I'm not certain but from the looks of the above log snippet I think this is the ylmf-pc on some virus laden PC banging away at your server - google for the expression and you will see lots of stuff on it. Also see here http://forums.contribs.org/index.php/topic,51756.0.html

Blocking it - you can't by default but I made a couple of little patches that nailed it on my servers :

http://bugs.contribs.org/show_bug.cgi?id=8952

You need the qpsmtpd plugin patch so it will add the IP address to "Unrecognized command 'auth'" so that fail2ban can then recognise it and block the IP.

I get about 40 IPs + a day that get blocked with this. I probably ought to work out how to permanently block them with fail2ban but this works OK for me now.

HTH

B. Rgds
John

[CharlieBrady]

... but from the looks of the above log snippet I think this is the ylmf-pc on some virus laden PC banging away at your server

No, somebody in Wilkes-Barre, Pennsylvania does. Note however that those connections are rejected immediately after they attempt 'AUTH LOGIN' before first issueing 'STARTTLS'.

I don't see any evidence that those log messages have anything to do with a spam problem.

Connections from the ylmf-pc spam virus could be blocked via a simple custom template:

http://forums.contribs.org/index.php/topic,51433.0.html

but I don't see the point, since they are being dropped early anyway.

[ReetP]

No, somebody in Wilkes-Barre, Pennsylvania does. Note however that those connections are rejected immediately after they attempt 'AUTH LOGIN' before first issueing 'STARTTLS'.

I don't see any evidence that those log messages have anything to do with a spam problem.

Indeed - my bad.

but I don't see the point, since they are being dropped early anyway.

No they don't get through but they sure as hell fill your logs quickly !

Personally I liked the fail2ban solution. 3 attempts and they are blocked by the firewall.

B. Rgds
John

[CharlieBrady]

My WAN connection is another story. I have thousands of connections that are connecting with my email address and they appear to be accepted and sent out without any authentication.

That's what you need to investigate. BTW, I don't know what you mean by "connecting with my email address".