[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

My server has been spoofed - help configuring mailenable

Posted on 2009-04-23
6
Medium Priority
?
854 Views
1 Endorsement
Last Modified: 2012-06-22
Hello,

This morning we ran into a pretty serious problem.
Based on what I saw at the logs, seems like our server was spoofed as over 1.000 messages were sent from my server using apparently my own mailbox.

so the relay limit I have on my dedicated server, wich runs Plesk 8.3 for windows, at godaddy was maxxed out early in the morning and up to now I havent been able to close the door to this kind of action.

From what I have read, seems like some settings on mailenable are allowing for spoofing and thats what caused all the trouble. However Im not familiar with mailenable at all and I havend found a way to access its interface in order to reconfigure it.

After my relay was maxxed out, none of the hundreds of websites I have hosted there were able to send email through their contact forms.

This is a small part of todays log which I think can show someone who understands about it what happened and how I can fix it:
*****************************************************************************************************************
04/23/09 07:36:55      SMTP-IN      EC9372A288194763BDA79164F779B317.MAI      492      127.0.0.1                  220 KLAN02.home ESMTP MailEnable Service, Version: 1.983-- ready at 04/23/09 07:36:55      0      0      
04/23/09 07:36:55      SMTP-IN      EC9372A288194763BDA79164F779B317.MAI      492      127.0.0.1      HELO      HELO klan02      250 Requested mail action okay, completed      43      13      
04/23/09 07:36:55      SMTP-IN      EC9372A288194763BDA79164F779B317.MAI      492      127.0.0.1      MAIL      MAIL FROM:<eder@coll.com.br>      250 Requested mail action okay, completed      43      30      
04/23/09 07:36:55      SMTP-IN      EC9372A288194763BDA79164F779B317.MAI      492      127.0.0.1      RCPT      RCPT TO:<spoouf@hotmail.com>      250 Requested mail action okay, completed      43      30      
04/23/09 07:36:55      SMTP-IN      EC9372A288194763BDA79164F779B317.MAI      492      127.0.0.1      DATA      DATA      354 Start mail input; end with <CRLF>.<CRLF>      46      6      
04/23/09 07:36:55      SMTP-IN      CA68A4F94F2847BFA800B4DED7ABC000.MAI      500      127.0.0.1                  220 KLAN02.home ESMTP MailEnable Service, Version: 1.983-- ready at 04/23/09 07:36:55      0      0      
04/23/09 07:36:55      SMTP-IN      CA68A4F94F2847BFA800B4DED7ABC000.MAI      500      127.0.0.1      HELO      HELO klan02      250 Requested mail action okay, completed      43      13      
04/23/09 07:36:55      SMTP-IN      CA68A4F94F2847BFA800B4DED7ABC000.MAI      500      127.0.0.1      MAIL      MAIL FROM:<eder@coll.com.br>      250 Requested mail action okay, completed      43      30      
04/23/09 07:36:55      SMTP-IN      CA68A4F94F2847BFA800B4DED7ABC000.MAI      500      127.0.0.1      RCPT      RCPT TO:<spoouf@hotmail.com>      250 Requested mail action okay, completed      43      30      
04/23/09 07:36:55      SMTP-IN      CA68A4F94F2847BFA800B4DED7ABC000.MAI      500      127.0.0.1      DATA      DATA      354 Start mail input; end with <CRLF>.<CRLF>      46      6      
04/23/09 07:36:56      SMTP-IN      6C4B803660104FC0A2D3622B5BA9E3F3.MAI      492      127.0.0.1      QUIT      QUIT      221 Service closing transmission channel      42      6      
*****************************************************************************************************************
eder@coll.com.br is my personal mailbox. seems like it was spoofed to get through the server authentication.

Any help on securing our server from this kind of action will be greatly appreciated.

Thanks

Eder
1
Comment
Question by:Ederwainer
  • 4
  • 2
6 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 80 total points
ID: 24220941
that doesn't look to me like a spoofing attack - instead, it looks to be some sort of loopback attack - the attacker is making the traffic appear to come from localhost (127.0.0.1)

common causes are
1) unsecured http proxy (CONNECT 25 attack)
2) unsecured spam or virus scanner running on non-25 port, which forwards its output to 127.0.0.1:25
3) non shell account reachable via ssh, allowing tunnelling to localhost
4) shell account allowing mail outbound or script execution
5) webserver compromise allowing running of uploaded php or perl scripts

in any case - the connections are coming from 127.0.0.1, which is what is causing them to be accepted for relay.
0
 

Author Comment

by:Ederwainer
ID: 24221129
How can I track and stop this action?

It is using my mailbox for authentication "eder@coll.com.br". As a temporary measeure I was thinking of deleting my mailbox. would it solve the problem till I can stop this action?

I dont know if it helps, but I do not run any mailboxes at this server, only contact forms that send email messages.

If anybody is willing to help me through this, I can attach log files

Thanks

Eder Wainer
0
 

Author Comment

by:Ederwainer
ID: 24221141
I have recently enabled "perl" on the domain coll.com.br, which is the same as the mailbox authenticating for sending. could it be the source of the problem?

I enabled Perl to be able to run an application by Google, sitemap generator.

Thanks

Eder wainer
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 

Author Comment

by:Ederwainer
ID: 24221439
After some searches on my dedicated server I came accross a folder created by the default Plesk Skeleton that had a file called test_mail.asp, which had the local IP address (127.0.0.1) and my email address configured at the top, the fields of the form matches the fields of the messages that were being sent.

I deleted this "test" folder, generated automatically by Plesk on all domains and its been 20 minutes since the last message was queued to be sen, no more messages were created.

So seemed like malicious code was using this form for spam.

I think its a shame, coming from a company that should care for the safety of its customers placing a form like that by default on new accounts opens the security for trouble.

Im gonna be monitoring the service tomorrow and if anything still goes wrong, Ill post here.

Thanks

Eder Wainer

0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24222517
I would check the Plesk documentation - usually frameworks come with such test pages by default (php comes with some too) and the documentation recommends that they be removed before the machine is placed in "production".
0
 

Accepted Solution

by:
Ederwainer earned 0 total points
ID: 24225103
Yes,

Thats exactly what happened. a folder that should have been removed containing forms that can be used to spam.

Situation is now under control.

Thanks for the input.

0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question