• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

User email compromised

M

merkelt

Guest
I have over 1200 pending outgoing messages in my queue to various domains in Russia. I set each of the 10 domains I host to "reject nonexistant user", cleared the queue, and still messages seem to be queueing up!

I think I have found the IP(s) address the messages are comming from useing /var/log/secure. However, I have not able to see "who" is sending them as I have SMTP auth enabled as well. My guess is that one of my users username and password has been compromised.

Can anybody tell me how to disocver what username and password where used to send an email?

Thanks in advance for the help!
 
You should check for exploitable scripts (formmail, phpBB, etc) and for any strange files (or hidden dir's/files) in /tmp

More than likely it may not be an actual mail user account that has been compromised, but rather one of the above.

Install RKHunter and CHKRootkit, update them and run them. Post the results.

Install mod_security (gotroot.com) and their rulesets.

(This is just the beginning steps you should take)
 
Back
Top