My client's mail server has been compromised. Someone has obtained the account - and has used it to send spam.

The password is 12 characters and quite 'strong' - a mix of lower and upper case letters, numbers and non character characters.

I assumed that the password was somehow 'sniffed' on his local network. But I have also seen a lot of brute force attempts - multiple LOGIN attempts failing.

Is is actually possible for a brute force attack to be successful? How likely is this.

Thanks

--Justin Wyllie

( If this is related to this earlier question of yours then I, with all due respect, strongly suggest you let somebody capable handle it. Five months simply is way too long. ) Note credentials can be leeched and spam can be sent in different ways. What's more computing makes conditions can be tested: true or false. There's no need for "thinking", "what ifs" or debating "likeliness": an investigation of user login database, processes, changed files, log files and client is in order. Would you like us to help you with that?

Sounds like a wordpress server that's been exploited.

Any chance of answering the question rather than the superior tone? (I thought that was the point of forums such as these).

The poster is the same. (Well spotted). But the case is different. So, no, the server has not been sending out spam for 5 months. Well done for telling me that "credentials can be leached and spam can be sent in different ways". I would never have guessed. As far as "what ifs" I don't see any in my post. It is a serious computing question. People who do in fact know a great deal more about computing than myself spend a lot of time discussing matters such as length of passwords, how long it can take to crack one etc. It matters a great deal. Brute force attacks are common. That suggests to me that sometimes they are successful. Is this the case? What length of password might prevent this? (Of course I have researched other methods to stopping brute force attacks). My question is not as you appear to believe: a sort of random guessing because I haven't looked at the logs and started to analyse the details or know that that is the way to solve this problem (not the one from 5 months ago). I am genuinely interested. Do mail servers ever get successfully hacked as a result of brute force attacks? If anyone here would like to answer that I would be very interested. I'll go elsewhere if (as is quite likely) I need help with the specifics.

Thanks.

Unless the password is really easy to hack it's unlikely that it was brute forced. Like I suggested it's more likely that they obtained the authentication information either from another source that's been exploited and or are sending the email from an exploited software not directly thru authentication to the postfix server itself.

1 members found this post helpful.

Hi Ken

That's very useful. Can you tell me why you think that? I have seen connections being made from my client's network (I mean his office - which connects to the server) by what I believe to be the malware. But the server is full of WordPress sites with all kinds of exotic plugins. So that could well be part of it

Thanks

Really any server that's been exploited should be audited by a professional after it's been firewalled so that it has no direct internet access.

Automated attacks/exploits on wordpress are the most common reason for the complaint you have. At least in my experience. Yes the plugins would allow them in quickly.

..
Jul 5 18:22:54 048582 courier-pop3d: LOGIN FAILED, user=info@mydomain.com, ip=[::ffff:86.146.nnn.nn]
Jul 5 18:22:54 048582 courier-pop3d: LOGIN FAILED, user=info@mydomain.com, ip=[::ffff:86.146.nnn.nn]
Jul 5 18:26:07 048582 courier-pop3d: LOGIN, user=info@mydomain.com, ip=[::ffff:86.146.nnn.nn], port=[2410]
Jul 5 18:31:17 048582 courier-pop3d: LOGIN FAILED, user=info@mydomain.com, ip=[::ffff:86.146.nnn.nn]
Jul 5 18:32:56 048582 courier-pop3d: LOGIN, user=info@mydomain.com, ip=[::ffff:86.146.nnn.nn], port=[1078]
Jul 5 18:33:19 048582 courier-pop3d: LOGIN, user=info@mydomain.com, ip=[::ffff:86.146.nnn.nn], port=[1079]
Jul 5 18:45:25 048582 courier-pop3d: LOGIN, user=info@mydomain.com, ip=[::ffff:86.146.nnn.nn], port=[1122]
Jul 5 18:56:18 048582 courier-pop3d: LOGIN, user=info@mydomain.com, ip=[::ffff:86.146.nnn.nn], port=[1159]

These are from maillog. There were loads of the LOGIN FAILED before this (represented by two dots).

The IP was that of my client's office. I read this as a series of login attempts, possibly guessing or part guessing the password. Then there is a success. There is one more failed login before the software has caught up with itself. Then, now it has the password, it fires up loads of client connections on different ports so as to be able to send as much spam as possible.

Is this a correct interpretation? But, if so; then surely the multiple failed attempts followed by a succesful one suggests some kind of dictionary attack? That threw me because as Ken has suggested only simple passwords are likely to be 'cracked' by a brute force attack. Secondly; given this if there is a connection to WordPress - what should I be looking for? How do we get from WordPress to this malware on my client's office computer?

Thanks again

Moved: This thread is more suitable in <Security> and has been moved accordingly to help your thread/question get the exposure it deserves.

Thanks Ken for your extremely helpful suggestion. In a WordPress uploads directory I find all sorts of interesting things...

The trick, once you put me on the right track, was to use the mail.log configuration setting in PHP (available from >= 5.3.0) which logs all uses of the mail() function.

Now, as you say, the problem is plugging the hole.

I think this was a red-herring. I will check this but this may have been my client's Mailwasher program trying to connect.

1. Ok he got the password , he got the access. so password change and lot of manual modification in all configuration files can save us from catastrophic damage.

2. You are continuously getting brute-force attacks from the IP, block it using IPTables.

3. Your client must connect to some local/VPN network to access your server. you use IPTables and allow only that particular server to be accessed from those IP's only. So you can stop all access from unauthorized IP's even they know the password , they are not from authorized location. so no access.

4. Not only IP , you change the default port number also. You know all services have a default and attacks usually fall upon that port. If you change the port number then attack will sent to a port which is not running any services and you can close those ports.

so even he know credentials he cant do anything because to enter into your network he must know your network structure. what to ping and how to pong

hope that helps.

let me know if you have any,anything to ask,

Yes, I'd say that the logs you show have nothing to do with the server sending mail. The pop3 daemon is to receive mail not send. SMTP authentication may or may not be on.

Like I said it's a wordpress box that's been exploited. Isolate from the internet and cleanup or re-install and do not add any plugins or themes unless they are required, also keep up with updates/patches.