Can someone please help me investigate mail spammer?

J

jim.thornton

Verified User
Joined
Jan 1, 2008
Messages
334
I've been running DA for a while. I have only about a dozen users setup on the server and as many websites. It is pretty light load and there isn't a lot of email that goes through the server. However, today I got an email from the system that said the following user had sent out 100 emails today. I've got the limit at 100.

The user in question is running an older version of Joomla, which someone else was running before it this same problem happened with them. I eventually deleted that Joomla installation and updated it to the newest version and it was still doing it. Looking at the logs, I think that it is actually someone logging in and sending emails. Initially, I thought they might have a virus that was jacking their Outlook or something. Their password for exim was originally very simple. I changed it to a randomly generated password that was 8 characters long, uppercase, lowercase and digits. It was still happening.

The other user is gone, but now I'm getting it on this new user. I'm wondering if someone can please walk me through how to investigate this. The path that the email sent from DA is saying it is being sent from: /

Here is a link to the log file with some lines for the user it is happening for: http:// pastebin [dot] com/Dk1jBDEJ

I think it is an SMTP login again, but I would appreciate if someone can walk me through identifying this please
 
I should say this is what I've done so far:

1. Read the email sent from DA to show me which user it was (running mod_rui2)
2. Searched the log files (mainlog) for that users emails (the link was a snippet of the search)
3. I've run a search in the public_html directory to make sure there where on base64_decode commands and there are none found in any php files.
 
Thanks for that link!

I've looked at the E-Mail usage and there is 100 emails sent and then they are getting blocked. It looks like the email is being sent using SMTP authentication. But, what surprises me is that it is a randomly generated password and my CSF firewall is set to block IP's after only 25 attempts. How could they possibly have gotten the username/password?

There are 7 emails that are being sent from: /public_html/libraries/phpmailer/phpmailer.php:755

I think that is the contact form within Joomla.

Can you confirm that my thought process is correct here? Is the only course of action to change the password? Or, is there likely another reason this is happening?
 
Are you saying to do this instead of changing the password, or in addition to, before or after?
 
I went to empty those files and they were already empty.

I have changed the users password for email.

Can you shed some light on this please? The only way he uses this email account is via GMail. His GMail interface was not using an overly secure password, which he has now corrected, but I would imagine that if the GMail interface was hacked, there would have been some damage done (as in deleting his current emails).

He doesn't login from anywhere else to check this email account. I have CSF / LFD setup and blocks any IP's once they have failed 25 times. I also have Brute-Force setup to manually block an IP if that system picks it up and CSF misses it for some reason. So, I can't see how someone would have gotten this password to lgin to his SMTP account.
 
I would like to shed more light on your issue for this I will need to login into your server as root and do an investigation. Please send me a PM for a quote if you are interested.
 
At this point I'm really looking to understand more about how someone could have obtained the password when it isn't possible that a keylogger was used because he never logs in and checks his email that way.

I was thinking that maybe CSF isn't configured properly. Between DA and CSF it seems that the IP's are getting blocked if someone fails to login more than 25 times. However, I notice that the IP change and the attempts continue and then blocked 25 times later and the IP changes, and so on. Eventually they stop trying are start trying a different account. But the firewall seems to be working because the IP is getting blocked.

Is there a way that I can set CSF to notice when an account is betting targeted and then lock that account out for a little while from any IP? Or, is that problematic?
 
No, i dont think there is, but for sure you can lower down the attempt number, i think i use that at 5 attemps...

Users that get banned call me, but it doesnt happen to often and since is an improvemente of security, they cant blame so much if they put a wrong password 5 time in a short time manner.

Regards
 
You must log in or register to reply here.
Back
Top