HELP! Spammers authenticating.

jmackenz · Unread post by **jmackenz** » Thu Sep 25, 2008 9:42 pm

Hey There,

i've just disabled my mail server as I have a spammer authenticating as user "summer" which is not supposed to exist according to plesk.

I'm running plesk 8.6.

How can I track this down and get it secured?

Please help.

- John

jmackenz · Unread post by **jmackenz** » Thu Sep 25, 2008 9:59 pm

Sep 25 20:18:21 phoenix smtp_auth: smtp_auth: SMTP user summer : logged in from (null)@wsip-68-228-4-173.br.br.cox.net [68.228.4.173]

jmackenz · Unread post by **jmackenz** » Thu Sep 25, 2008 10:13 pm

I no longer think it is just user summer

Sep 24 17:19:30 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@rrcs-208-105-232-205.nys.biz.rr.com [208.105.232.205]
Sep 24 17:19:31 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:19:33 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:19:41 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:19:42 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:19:50 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:19:51 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:19:59 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:20:00 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:20:09 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:20:10 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:20:25 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:20:27 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:20:41 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:20:44 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:20:58 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:21:00 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:21:14 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:21:16 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:21:28 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]

Where should I start?

jmackenz · Unread post by **jmackenz** » Thu Sep 25, 2008 10:42 pm

ok, I re-enabled my mail server and just disabled smtp_auth and enabled pop-lock.

This still has the spammers restrained

Sep 25 21:41:46 phoenix relaylock: /var/qmail/bin/relaylock: mail from 68.228.4.173:1996 (wsip-68-228-4-173.br.br.cox.net)

But what can I do to correct whatever is wrong with my smtp_auth

breun · Unread post by **breun** » Fri Sep 26, 2008 3:52 am

Did you see http://forum.swsoft.com/showthread.php?t=55221 ?

Seems there is a security hole somewhere, but only on some operating systems. Debian and RHEL/CentOS don't seem to be vulnerable. There is a report about OpenSuSE 10.3 x86_64 being vulnerable.

jmackenz · Unread post by **jmackenz** » Fri Sep 26, 2008 7:53 am

Reading it now , but I'm running centos....

Unread post by **scott** » Fri Sep 26, 2008 9:07 am

We've got a password auditor in ASL, otherwise you can go through all the accounts and see if you've got any joe accounts in there (info/info, guest/guest, test, test...)

jmackenz · Unread post by **jmackenz** » Fri Sep 26, 2008 9:11 am

can the auditor be acquired stand-alone?

jmackenz · Unread post by **jmackenz** » Fri Sep 26, 2008 9:36 am

Looking with powertoys I found (created by swsoft while checking another bug) swtest/qwerty and test/balls

I' ve removed them and re-enabled smtp_auth , guess I'll monitor my logs and queue for a while.

Do you believe that these were the issue? or should I keep digging.

breun · Unread post by **breun** » Fri Sep 26, 2008 9:40 am

You can also use /usr/local/psa/admin/bin/mail_auth_view if you want to spy on username/password combinations.

jmackenz · Unread post by **jmackenz** » Fri Sep 26, 2008 9:47 am

So , would I be correct in assuming that seeing as I'm running centos my issue was one of a too simple user/pass combination (test/balls) ? or should I be worried about any dictionary based passwords I see from that result

breun · Unread post by **breun** » Fri Sep 26, 2008 10:07 am

Dictionary passwords are always a risk.