• The APS Catalog has been deprecated and removed from all Plesk Obsidian versions.
    Applications already installed from the APS Catalog will continue working. However, Plesk will no longer provide support for APS applications.
  • Please be aware: with the Plesk Obsidian 18.0.78 release, the support for the ngx_pagespeed.so module will be deprecated and removed from the sw-nginx package.

E-mail hack

L

LuisN

New Pleskian
Today, someone managed to gain my e-mail account credentials and sent a bunch of outgoing malicious e-mails. I can see the hackers connecting to the Postfix SMTP server and sending the messages.

What I can't figure out is how they got the list of recipients I commonly send e-mail to. I'm pretty sure they couldn't get that from Postfix. However, I'm guessing they could if they logged in via Horde or IMAP or POP.

Question: It appears I can see all the IMAP accesses in /var/log/maillog. Where can I find this info for Horde or POP?

BTW, I upgraded from Plesk 11.5.30 to 12.0.18 two days ago. I don't think there's a connection but the timing is definitely very interesting.
 
Hi Igor,

Unfortunately, all of the files in this folder date back to 2013. I just purposely tried the wrong password in Horde and it didn't update any of the files in this folder. Is there somewhere else I should look? Also, where are the HTTP access logs for this app?

Thanks!
 
Make sure that Horde log file is specified in /etc/psa-webmail/horde/horde/conf.php as:

$conf['log']['name'] = '/var/log/psa-horde/psa-horde.log';
$conf['log']['type'] = 'file';
$conf['log']['enabled'] = true;

Maybe you have other log file there.
Global Access and Error logs in /var/log/httpd/
 
Thanks again!

Regarding the Horde config file, yes, those are the exact settings I have so I'm not sure why it's not working.

With regards to the global access/error logs, thanks! I kept looking under /var/www so I didn't see those.

I did notice that /var/log/maillog will have entries like this when Horde users are accessing their e-mail:
2015-09-21T18:59:44.946722-07:00 hostname courier-imapd: LOGIN, [email protected], ip=[::ffff:127.0.0.1], port=[50349], protocol=IMAP

My logs go back 5 days and I couldn't find any evidence of any successful Horde logins. So, unless the hackers pulled the data more than 5 days ago, I have no idea how they got the list of recipients to send to. Any ideas?
 
You must log in or register to reply here.

Similar threads

P
Issue E-Mail-Security failed to pipe message to "es-learn-spam.sh"
Replies
13
Views
3K
Puschendorf
P
D
Issue Postfix nightmare - moved to Courier - SSL issues
Replies
5
Views
1K
dijitul
D
S
Issue Issues and confusion with mail forwarding
Replies
1
Views
1K
spiceypork
S
M
Question DIGEST-MD5 and CRAM-MD5 (Microsoft Outlook 365 Email collection)
Replies
2
Views
2K
Sebahat.hadzhi
Sebahat.hadzhi
I
Input Hardening Plesk with AbuseIPDB
Replies
2
Views
2K
iainh
I
Back
Top