was i hacked? - ORF Forums

was i hacked? RSS Back to forum

1

I just had a troubling event.
a) i found out my mail server was on spamcop's blacklist
b) my main server is in singapore, there is yet another frontend in china. (192.168.20.1)
c) I notice 158k emails on orf's logs from , related ip address 192.168.20.1 , about 150k entries.
d) I check my china mail server's smtp log, its ballooned in size. a usual daily 1k log, became 50k.
2012-11-04 10:36:31 74.94.110.145 User SMTPSVC1 JINHUI-DC 192.168.20.1 0 MAIL - +FROM: 250 0 43 30 0 SMTP - -
2012-11-04 10:36:31 74.94.110.145 User SMTPSVC1 JINHUI-DC 192.168.20.1 0 MAIL - +FROM: 250 0 43 30 0 SMTP - -
2012-11-04 10:36:31 74.94.110.145 User SMTPSVC1 JINHUI-DC 192.168.20.1 0 RCPT - +TO: 250 0 38 35 0 SMTP - -
2012-11-04 10:36:31 74.94.110.145 User SMTPSVC1 JINHUI-DC 192.168.20.1 0 RCPT - +TO: 250 0 35 32 0 SMTP - -
2012-11-04 10:36:31 74.94.110.145 User SMTPSVC1 JINHUI-DC 192.168.20.1 0 MAIL - +FROM: 250 0 43 30 0 SMTP - -
2012-11-04 10:36:31 74.94.110.145 User SMTPSVC1 JINHUI-DC 192.168.20.1 0 MAIL - +FROM: 250 0 43 30 0 SMTP - -
2012-11-04 10:36:31 74.94.110.145 User SMTPSVC1 JINHUI-DC 192.168.20.1 0 RCPT - +TO: 250 0 32 29 0 SMTP - -
2012-11-04 10:36:31 74.94.110.145 User SMTPSVC1 JINHUI-DC 192.168.20.1 0 MAIL - +FROM: 250 0 43 30 0 SMTP - -
2012-11-04 10:36:31 74.94.110.145 User SMTPSVC1 JINHUI-DC 192.168.20.1 0 RCPT - +TO: 250 0 34 31 0 SMTP - -
2012-11-04 10:36:31 74.94.110.145 User SMTPSVC1 JINHUI-DC 192.168.20.1 0 RCPT - +TO: 250 0 41 38 0 SMTP - -
2012-11-04 10:36:31 74.94.110.145 User SMTPSVC1 JINHUI-DC 192.168.20.1 0 RCPT - +TO: 250 0 42 39 0 SMTP - -
2012-11-04 10:36:31 74.94.110.145 User SMTPSVC1 JINHUI-DC 192.168.20.1 0 RCPT - +TO: 250 0 32 29 0 SMTP - -


this only happens for roughly a 12hr time block (2pm to 1130pm), then it ceased abruptly.

e) because my singapore mail server is set to accept 192.168.20.1 as whitelisted (I have since removed and left it on intermediate host), all those spam mails got sent out.

f) strange thing: in my singapore (exchange2010) and china mail servers (exchange2003), all the mail journals have NO trace whatsoever of these mails "subject: dearest friend," i can only find NDR with regards to those mails.

g) I ran http://www.mailradar.com/openrelay/ on both singapore and china. singapore server comes out clean. china server failed 1 out of 13 tests. under smtp protocol, I disabled basic authentication and "accept relay from:" I removed 192.168.20.1 and 127.0.0.1 (well, its probably a misconfiguration). it then passed the open relay test.

h) running malware scans and antivirus scans right now on the whole network in china.

any clue what happened? I can't find any trace of those mails in any journals which is really strange.

by christopher.low 6 years ago
2

@christopher.low: It is more likely that a spammer somehow got hold of a username/password combo (using a malware or keylogger on one of the clients, or simply found a forgotten test account with a weak password like "1234" or "test") and used that to authenticate and to send emails out.

Exchange 2003 and earlier versions allowed ORF to log the username used for the authenticated SMTP connection, but since Exchange 2007, this is no longer possible, because Exchange only reports to ORF that the SMTP session was authenticated without getting into any further details.

So basically you'll need to identify the compromised account using the Exchange/SMTP logs somehow and disable it or change its password to something secure.

by Krisztián Fekete (Vamsoft) 6 years ago
(in reply to this post)

3

ok. I checked eventvwr on the mail server. seems tons of logins from domain\install during the wee hours of sunday , an installation account i created with a damm simple password..

reset the password and disabled it.

lets hope its clean. meanwhile I'm clean now on spam cop. but i'm stuck on uceprotect until 11 nov.. gosh these guys want $112 for expedited delisting. what money grubbers.

by christopher.low 6 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2