Atomicorp

Security for Everyone
https://forums.atomicorp.com/

HELP! Spammers authenticating.

https://forums.atomicorp.com/viewtopic.php?t=2540

Page 1 of 1

HELP! Spammers authenticating.

Posted: Thu Sep 25, 2008 9:42 pm
by jmackenz
Hey There,

i've just disabled my mail server as I have a spammer authenticating as user "summer" which is not supposed to exist according to plesk.

I'm running plesk 8.6.

How can I track this down and get it secured?

Please help.

- John

Posted: Thu Sep 25, 2008 9:59 pm
by jmackenz
Sep 25 20:18:21 phoenix smtp_auth: smtp_auth: SMTP user summer : logged in from (null)@wsip-68-228-4-173.br.br.cox.net [68.228.4.173]

Posted: Thu Sep 25, 2008 10:13 pm
by jmackenz
I no longer think it is just user summer
Sep 24 17:19:30 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@rrcs-208-105-232-205.nys.biz.rr.com [208.105.232.205]
Sep 24 17:19:31 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:19:33 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:19:41 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:19:42 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:19:50 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:19:51 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:19:59 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:20:00 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:20:09 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:20:10 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:20:25 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:20:27 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:20:41 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:20:44 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:20:58 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:21:00 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:21:14 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:21:16 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Sep 24 17:21:28 phoenix smtp_auth: smtp_auth: SMTP user : logged in from (null)@adsl-156-164-160.mia.bellsouth.net [70.156.164.160]
Where should I start?

Posted: Thu Sep 25, 2008 10:42 pm
by jmackenz
ok, I re-enabled my mail server and just disabled smtp_auth and enabled pop-lock.

This still has the spammers restrained
Sep 25 21:41:46 phoenix relaylock: /var/qmail/bin/relaylock: mail from 68.228.4.173:1996 (wsip-68-228-4-173.br.br.cox.net)
But what can I do to correct whatever is wrong with my smtp_auth

Posted: Fri Sep 26, 2008 3:52 am
by breun
Did you see http://forum.swsoft.com/showthread.php?t=55221 ?

Seems there is a security hole somewhere, but only on some operating systems. Debian and RHEL/CentOS don't seem to be vulnerable. There is a report about OpenSuSE 10.3 x86_64 being vulnerable.

Posted: Fri Sep 26, 2008 7:53 am
by jmackenz
Reading it now , but I'm running centos....

Posted: Fri Sep 26, 2008 9:07 am
by scott
We've got a password auditor in ASL, otherwise you can go through all the accounts and see if you've got any joe accounts in there (info/info, guest/guest, test, test...)

Posted: Fri Sep 26, 2008 9:11 am
by jmackenz
can the auditor be acquired stand-alone?

Posted: Fri Sep 26, 2008 9:36 am
by jmackenz
Looking with powertoys I found (created by swsoft while checking another bug) swtest/qwerty and test/balls

I' ve removed them and re-enabled smtp_auth , guess I'll monitor my logs and queue for a while.

Do you believe that these were the issue? or should I keep digging.

Posted: Fri Sep 26, 2008 9:40 am
by breun
You can also use /usr/local/psa/admin/bin/mail_auth_view if you want to spy on username/password combinations.

Posted: Fri Sep 26, 2008 9:47 am
by jmackenz
So , would I be correct in assuming that seeing as I'm running centos my issue was one of a too simple user/pass combination (test/balls) ? or should I be worried about any dictionary based passwords I see from that result

Posted: Fri Sep 26, 2008 10:07 am
by breun
Dictionary passwords are always a risk.
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited