Hi everyone, i have a server with DA, latest version.
One of mi clients get his CPU hacked, and someone stole his emails passwords.
The hacker use the user and password to login with smtp server to send a very huge amount of spam.
I change the emails address password and then the hacker stop to send spam.
Few days later my stupid client get hacked again, but this time i dont know where are mails comming from, i only can see emails are in the /etc/virtual/usage/user.bytes but there is no login user, no login attempts, no ip from, is all local.
I try to find some web script based or something like that but i dont find anything.
I only know this hacker is sending mails with a from roberta.
I send logs with what i have in mainlog of exim to see if someone can help me.
[root@tera1 exim]# grep 1Q6RXA-00008k-9b mainlog
2011-04-17 04:07:24 1Q6RXA-00008k-9b ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host ASPMX.L.GOOGLE.COM [74.125.157.27]: 550-5.1.1 The email account that you tried to reach does not exist. Please try\n550-5.1.1 double-checking the recipient's email address for typos or\n550-5.1.1 unnecessary spaces. Learn more at\n550 5.1.1 http://mail.google.com/support/bin/a...py?answer=6596 x41si9056848yhc.90
2011-04-17 04:07:24 1QBM4q-00033H-Tf <= <> R=1Q6RXA-00008k-9b U=mail P=local S=8032 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2011-04-17 04:07:25 1Q6RXA-00008k-9b Completed
[root@tera1 exim]# grep 1QBM4q-00033H-Tf mainlog
2011-04-17 04:07:24 1QBM4q-00033H-Tf <= <> R=1Q6RXA-00008k-9b U=mail P=local S=8032 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2011-04-17 04:07:25 1QBM4q-00033H-Tf => [email protected] F=<> R=lookuphost T=remote_smtp S=8162 H=vip-us-br-mx.terra.com [208.84.244.133] C="250 2.0.0 Ok: queued as 32F6E5DF5E791"
2011-04-17 04:07:25 1QBM4q-00033H-Tf Completed
[root@tera1 exim]#
I search my client user in maillog and its appear something like this but 2 o 3 times at day, maybe is my client and not the hacker login in webmail.
Apr 18 00:25:19 tera1 dovecot[28832]: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Maybe there is a lot of emails in the tail from the first attempt but i cant ls or something in /var/spool/exim/input or mslog seems there ra several millions of files.
Any idea how to deal with this ?
One of mi clients get his CPU hacked, and someone stole his emails passwords.
The hacker use the user and password to login with smtp server to send a very huge amount of spam.
I change the emails address password and then the hacker stop to send spam.
Few days later my stupid client get hacked again, but this time i dont know where are mails comming from, i only can see emails are in the /etc/virtual/usage/user.bytes but there is no login user, no login attempts, no ip from, is all local.
I try to find some web script based or something like that but i dont find anything.
I only know this hacker is sending mails with a from roberta.
I send logs with what i have in mainlog of exim to see if someone can help me.
[root@tera1 exim]# grep 1Q6RXA-00008k-9b mainlog
2011-04-17 04:07:24 1Q6RXA-00008k-9b ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host ASPMX.L.GOOGLE.COM [74.125.157.27]: 550-5.1.1 The email account that you tried to reach does not exist. Please try\n550-5.1.1 double-checking the recipient's email address for typos or\n550-5.1.1 unnecessary spaces. Learn more at\n550 5.1.1 http://mail.google.com/support/bin/a...py?answer=6596 x41si9056848yhc.90
2011-04-17 04:07:24 1QBM4q-00033H-Tf <= <> R=1Q6RXA-00008k-9b U=mail P=local S=8032 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2011-04-17 04:07:25 1Q6RXA-00008k-9b Completed
[root@tera1 exim]# grep 1QBM4q-00033H-Tf mainlog
2011-04-17 04:07:24 1QBM4q-00033H-Tf <= <> R=1Q6RXA-00008k-9b U=mail P=local S=8032 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2011-04-17 04:07:25 1QBM4q-00033H-Tf => [email protected] F=<> R=lookuphost T=remote_smtp S=8162 H=vip-us-br-mx.terra.com [208.84.244.133] C="250 2.0.0 Ok: queued as 32F6E5DF5E791"
2011-04-17 04:07:25 1QBM4q-00033H-Tf Completed
[root@tera1 exim]#
I search my client user in maillog and its appear something like this but 2 o 3 times at day, maybe is my client and not the hacker login in webmail.
Apr 18 00:25:19 tera1 dovecot[28832]: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Maybe there is a lot of emails in the tail from the first attempt but i cant ls or something in /var/spool/exim/input or mslog seems there ra several millions of files.
Any idea how to deal with this ?
Last edited:
