Originally Posted by Habitual
More often that not on (some)Panel products, it is a user's credentials that are compromised.
I'd check the logs for rapid and varied connections from diverse IPs for your clients by their login name or loginID.
Any idea what logs exactly should I check for these varied connections from diverse IPs?
As I know the server is not open relay or anything. Also there aren't other sites hosted on the server. Just our own site which is highly unlikely to have any vulnerability or code as it's just a two page site.
About 50 people have their mail account on this server and I think you are right their credentials might have been compromised.
I could tell all these to change their passwords but I want to find out who exactly has been compromised.