• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

E-mail hack

L

LuisN

New Pleskian
Today, someone managed to gain my e-mail account credentials and sent a bunch of outgoing malicious e-mails. I can see the hackers connecting to the Postfix SMTP server and sending the messages.

What I can't figure out is how they got the list of recipients I commonly send e-mail to. I'm pretty sure they couldn't get that from Postfix. However, I'm guessing they could if they logged in via Horde or IMAP or POP.

Question: It appears I can see all the IMAP accesses in /var/log/maillog. Where can I find this info for Horde or POP?

BTW, I upgraded from Plesk 11.5.30 to 12.0.18 two days ago. I don't think there's a connection but the timing is definitely very interesting.
 
Hi Igor,

Unfortunately, all of the files in this folder date back to 2013. I just purposely tried the wrong password in Horde and it didn't update any of the files in this folder. Is there somewhere else I should look? Also, where are the HTTP access logs for this app?

Thanks!
 
Make sure that Horde log file is specified in /etc/psa-webmail/horde/horde/conf.php as:

$conf['log']['name'] = '/var/log/psa-horde/psa-horde.log';
$conf['log']['type'] = 'file';
$conf['log']['enabled'] = true;

Maybe you have other log file there.
Global Access and Error logs in /var/log/httpd/
 
Thanks again!

Regarding the Horde config file, yes, those are the exact settings I have so I'm not sure why it's not working.

With regards to the global access/error logs, thanks! I kept looking under /var/www so I didn't see those.

I did notice that /var/log/maillog will have entries like this when Horde users are accessing their e-mail:
2015-09-21T18:59:44.946722-07:00 hostname courier-imapd: LOGIN, [email protected], ip=[::ffff:127.0.0.1], port=[50349], protocol=IMAP

My logs go back 5 days and I couldn't find any evidence of any successful Horde logins. So, unless the hackers pulled the data more than 5 days ago, I have no idea how they got the list of recipients to send to. Any ideas?
 
You must log in or register to reply here.

Similar threads

F
Question SPF fail due to wrong IP?
Replies
1
Views
410
mow
M
Jan Bludau
Resolved Patch: Postfix - 37C3 - SMTP Smuggling – Spoofing E-Mails Worldwide
Replies
5
Views
1K
Peter Debik
P
F
Question Mail delivery status notifications not forwarded
Replies
2
Views
358
fcnjd
F
datea.services
Question Attempts to exceed outgoing limits: log of mails not sent
Replies
4
Views
543
Peter Debik
P
carlsson
Resolved Outgoing administrator mail not authorized [missing SPF record in sender domain]
Replies
11
Views
987
rkbonatto
rkbonatto
Back
Top