How to find compromised email accounts on a Plesk server?

If your emails are bouncing back and IP is getting blacklisted, it is clear your server is used for spamming purpose. To find out if spam emails are sent using a PHP script OR by a client, refer

How to find a Spammer on a Plesk Server?

Sometimes email accounts are hacked and are used for sending spam email. The header of such emails contain “Network” in the received line instead of the UID of the domain.

Below we will see how to trace such accounts.

Now, read the mail queue and you will notice, large number of emails are sent to strange email accounts

# /var/qmail/bin/qmail-qread
 1 Jan 2013 01:50:32 GMT  #768553  1214
        remote  someone@domain1.com
        remote  someone123@domain1.com
        remote  someone@domain2.com
        remote  someone123@domain2.com
        ****list continue...****

 

Now you need to find out the IP that is sending the emails, so use QmHandle tool to read the message header by passing the message ID to it (in above case its “768553”)

# qmHandle -m768553 | less
 Received: (qmail 20390 invoked from network); 1 Jan 2013 01:50:32
 Received: from unknown (HELO User) (1.1.1.1)

This email is invoked from ‘Network’ and the offending IP is 1.1.1.1. Now, search the IP in the server logs i.e. /var/log/messages

# grep 1.1.1.1 /var/log/messages
 Jan  1 12:12:00 smtp_auth: SMTP connect from unknown@ [1.1.1.1]
 Jan  1 12:12:00 smtp_auth: smtp_auth: SMTP user [USER] :
 /var/qmail/mailnames/[DOMAIN]/[USER] logged in from unknown@ [1.1.1.1]

As you can see above, the logs will display the email account accessed by the hacker from IP 1.1.1.1.

Now let’s take a look at the password of the email account we found in the above logs

# /usr/local/psa/admin/bin/mail_auth_view | grep user@domain
 +--------------+--------+------------+
 |    address   |  flags |  password  |
 +--------------+--------+------------+
 |  user@domain |        |   qazxsw   |
 +--------------+--------+------------+

The password isn’t great and no wonder why the email account is compromised.

Now, change the password of the email account from Plesk, restart the IMAP server and monitor the server logs to see the difference

# tail -f /var/log/messages | grep grep 1.1.1.1
 Jan  1 12:20:08 smtp_auth: SMTP connect from unknown@ [1.1.1.1]
 Jan  1 12:20:08 smtp_auth: FAILED: [USER] - password incorrect
 from unknown@ [1.1.1.1]

As you can see above, the hacker from IP 1.1.1.1 can no longer access the email account.

This entry was posted on Thursday, January 3rd, 2013 and is filed under Plesk Management. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.