{"id":2024,"date":"2013-01-03T14:38:44","date_gmt":"2013-01-03T18:38:44","guid":{"rendered":"http:\/\/linuxhostingsupport.net\/blog\/?p=2024"},"modified":"2013-03-20T08:38:21","modified_gmt":"2013-03-20T12:38:21","slug":"how-to-find-compromised-email-accounts-on-a-plesk-server","status":"publish","type":"post","link":"https:\/\/linuxhostingsupport.net\/blog\/how-to-find-compromised-email-accounts-on-a-plesk-server","title":{"rendered":"How to find compromised email accounts on a Plesk server?"},"content":{"rendered":"

If your emails are bouncing back and IP is getting blacklisted, it is clear your server is used for spamming purpose. To find out if spam emails are sent using a PHP script OR by a client, refer<\/strong><\/p>\n

How to find a Spammer on a Plesk Server?<\/a><\/strong><\/p>\n

Sometimes email accounts are hacked and are used for sending spam email. The header of such emails contain “Network” in the received line<\/strong> instead of the UID of the domain.<\/p>\n

Below we will see how to trace such accounts.<\/p>\n

Now, read the mail queue and you will notice, large number of emails are sent to strange email accounts<\/strong><\/p>\n

\n
# \/var\/qmail\/bin\/qmail-qread<\/strong>\r\n 1 Jan 2013 01:50:32 GMT\u00a0 #768553\u00a0 1214\r\n        remote\u00a0 someone@domain1.com\r\n        remote\u00a0 someone123@domain1.com\r\n        remote\u00a0 someone@domain2.com\r\n        remote\u00a0 someone123@domain2.com\r\n        ****list continue...****<\/pre>\n<\/blockquote>\n
 <\/p>\n
Now you need to find out the IP that is sending the emails, so use QmHandle tool to read the message header by passing the message ID<\/strong> to it (in above case its “768553”)<\/p>\n
\n
# qmHandle -m768553 | less<\/strong>\r\n Received: (qmail 20390 invoked from network<\/strong>); 1 Jan 2013 01:50:32\r\n Received: from unknown (HELO User) (1.1.1.1)<\/pre>\n<\/blockquote>\n
This email is invoked from ‘Network’ and the offending IP is 1.1.1.1. Now, search the IP in the server logs i.e. \/var\/log\/messages<\/p>\n
\n
# grep 1.1.1.1 \/var\/log\/messages<\/strong>\r\n Jan\u00a0 1 12:12:00 smtp_auth: SMTP connect from unknown@ [1.1.1.1]\r\n Jan\u00a0 1 12:12:00 smtp_auth: smtp_auth: SMTP user<\/strong> [USER] :\r\n \/var\/qmail\/mailnames\/[DOMAIN]\/[USER] logged in from unknown<\/strong>@ [1.1.1.1]<\/pre>\n<\/blockquote>\n
As you can see above, the logs will display the email account accessed by the hacker<\/strong> from IP 1.1.1.1.<\/p>\n
Now let’s take a look at the password of the email account we found in the above logs<\/p>\n
\n
# \/usr\/local\/psa\/admin\/bin\/mail_auth_view | grep user@domain<\/strong>\r\n +--------------+--------+------------+\r\n |\u00a0\u00a0  address\u00a0\u00a0 |\u00a0 flags |\u00a0 password\u00a0 |\r\n +--------------+--------+------------+\r\n |\u00a0 user@domain |\u00a0\u00a0 \u00a0 \u00a0\u00a0 |\u00a0\u00a0 qazxsw\u00a0\u00a0 |\r\n +--------------+--------+------------+<\/pre>\n<\/blockquote>\n
The password isn’t great and no wonder why the email account is compromised.<\/p>\n
Now, change the password of the email account from Plesk, restart the IMAP server<\/strong> and monitor the server logs to see the difference<\/p>\n
\n
# tail -f \/var\/log\/messages | grep grep 1.1.1.1<\/strong>\r\n Jan\u00a0 1 12:20:08 smtp_auth: SMTP connect from unknown@ [1.1.1.1]\r\n Jan\u00a0 1 12:20:08 smtp_auth: FAILED<\/strong>: [USER] - password incorrect<\/strong>\r\n from unknown<\/strong>@ [1.1.1.1]<\/pre>\n<\/blockquote>\n
As you can see above, the hacker from IP 1.1.1.1 can no longer access the email account.<\/p>\n","protected":false},"excerpt":{"rendered":"
If your emails are bouncing back and IP is getting blacklisted, it is clear your server is used for spamming purpose. To find out if spam emails are sent using a PHP script OR by a client, refer
\nHow to find a Spammer on a Plesk Server?
\nSometimes email accounts are hacked and are used for sending spam email. The header of such emails contain “Network” in the received line instead of the UID of the domain.
\nBelow we will see how to trace such accounts.
\nNow, read the mail queue and […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[1450,1451,1453,1452],"_links":{"self":[{"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/posts\/2024"}],"collection":[{"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/comments?post=2024"}],"version-history":[{"count":13,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/posts\/2024\/revisions"}],"predecessor-version":[{"id":2036,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/posts\/2024\/revisions\/2036"}],"wp:attachment":[{"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/media?parent=2024"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/categories?post=2024"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/tags?post=2024"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}