How to check whether email accounts have been compromised
When you see there is a suspicious issue with the behavior of exim, check to see if any email accoount has been compromised. For eg: please see the following log;
2011-11-01 15:01:13 [22561] 1RLMON-0005rt-OR <= test@domain.com H=(uuoulhgwf) [50.50.50.50]:47384 I=[100.100.100.100]:25 P=esmtpa A=dovecot_login:test@domain.com S=2291 T="\252k\260\352\263\261\262\364\274W\244j\263n\273I \260t\244\321\250\317\251\312\274\244\257\273 \244k\251\312\274\351\247j\252\272\257\265\304_cxgwe" from <test@domain.com> for linpr84@yahoo.com.tw sandyhung212@yahoo.com.tw eric_shieh0225@yahoo.com.tw k1672x2@yahoo.com.tw blue12820@yahoo.com.tw briste00@yahoo.com.tw lisa34052@yahoo.com.tw ekke9889@yahoo.com.tw ca438383@yahoo.com.tw rose-7945@yahoo.com.tw kenny559855@yahoo.com.tw z0913437700@yahoo.com.tw andre1528@yahoo.com.tw jintinw@yahoo.com.tw m5200529@yahoo.com.tw 0930851353@yahoo.com.tw s58223315@yahoo.com.tw cherry80829@yahoo.com.tw yanshu1234@yahoo.com.tw
You can use the following command to get the dovecot logins to the email accounts in the server(attempts via email client)
egrep -o 'dovecot_login[^ ]+' /var/log/exim_mainlog | sort|uniq -c|sort -nk 1
For eg:
root@ [~]# egrep -o 'dovecot_login[^ ]+' /var/log/exim_mainlog | sort|uniq -c|sort -nk 1 -------- 294 dovecot_login:support+domain1.com 309199 dovecot_login:test@domain.com -------
The email account test@domain.com was logged in 309199 times. So it is definitely compromised.
To get the actual details, ie the details about the email account logged in via webmail, use the following command,
Eg:
Eg:
root@ [~]# grep "/webmail/x3/?login=1" /usr/local/cpanel/logs/access_log | grep test@domain.com | grep -Ev 'cPanel_magic_revision|squirrelmail|roundcube|horde' 30.40.50.60 proxy test@domain.com [11/01/2011:22:33:30 -0000] "GET /webmail/x3/?login=1 HTTP/1.1" 200 0 "http://webmail.domain.com/webmaillogout.cgi" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.1)"30.40.50.60 proxy test@domain.com [11/01/2011:22:33:34 -0000] "GET /webmail/x3/mail/passwdpop.html?redirectdomain =&email=larry&domain=domain.com HTTP/1.1" 200 0 "http://webmail.domain.com/webmail/x3/?login=1" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.1)"
Viruses that get into the PC affect the email client to get the password of the email accounts. It will then send spam emails using the email client from that PC in back ground. Viruses can also send the email/password details to a remote server from where the spammers can send bulk emails.
To get the dovecot login count for the last 1 to 2 hours on the server use the below command,
hour=`date | awk {'print $4'} | cut -d: -f 1`; lasthour=`expr $hour - 1`; grep "`date -I` $lasthour" /var/log/exim_mainlog |egrep
-o 'dovecot_login[^ ]+' | sort|uniq -c|sort -nk 1
For example:
root@ [~]# hour=`date | awk {'print $4'} | cut -d: -f 1`; lasthour=`expr $hour - 1`; grep "`date -I` $lasthour" /var/log/exim_mainlog |egrep -o 'dovecot_login[^ ]+' | sort|uniq -c|sort -nk 1
1585 dovecot_login:test@domain.com
No comments:
Post a Comment