• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

E-mail hack

L

LuisN

New Pleskian
Today, someone managed to gain my e-mail account credentials and sent a bunch of outgoing malicious e-mails. I can see the hackers connecting to the Postfix SMTP server and sending the messages.

What I can't figure out is how they got the list of recipients I commonly send e-mail to. I'm pretty sure they couldn't get that from Postfix. However, I'm guessing they could if they logged in via Horde or IMAP or POP.

Question: It appears I can see all the IMAP accesses in /var/log/maillog. Where can I find this info for Horde or POP?

BTW, I upgraded from Plesk 11.5.30 to 12.0.18 two days ago. I don't think there's a connection but the timing is definitely very interesting.
 
Hi Igor,

Unfortunately, all of the files in this folder date back to 2013. I just purposely tried the wrong password in Horde and it didn't update any of the files in this folder. Is there somewhere else I should look? Also, where are the HTTP access logs for this app?

Thanks!
 
Make sure that Horde log file is specified in /etc/psa-webmail/horde/horde/conf.php as:

$conf['log']['name'] = '/var/log/psa-horde/psa-horde.log';
$conf['log']['type'] = 'file';
$conf['log']['enabled'] = true;

Maybe you have other log file there.
Global Access and Error logs in /var/log/httpd/
 
Thanks again!

Regarding the Horde config file, yes, those are the exact settings I have so I'm not sure why it's not working.

With regards to the global access/error logs, thanks! I kept looking under /var/www so I didn't see those.

I did notice that /var/log/maillog will have entries like this when Horde users are accessing their e-mail:
2015-09-21T18:59:44.946722-07:00 hostname courier-imapd: LOGIN, [email protected], ip=[::ffff:127.0.0.1], port=[50349], protocol=IMAP

My logs go back 5 days and I couldn't find any evidence of any successful Horde logins. So, unless the hackers pulled the data more than 5 days ago, I have no idea how they got the list of recipients to send to. Any ideas?
 
You must log in or register to reply here.

Similar threads

I
Issue Mail delivery deferred (4.4.2 delivery temporarily suspended)
Replies
1
Views
1K
iainh
I
andreios
Issue Creating a Send-only e-mail address leads to an error message: 'No such user ..'
Replies
3
Views
991
andreios
andreios
A
Question Changing DNS settings and e-mail plan
Replies
1
Views
992
Sebahat.hadzhi
Sebahat.hadzhi
M
Issue Postfix - warning: connect to transport private/plesk-domain.org.uk-123.145.167.189-: Connection refused
Replies
8
Views
1K
MHC_1
M
P
Resolved GraphQL Error Mass E-Mail
Replies
2
Views
388
pcds
P
Back
Top