How to check whether email accounts have been compromised

When you see there is a suspicious issue with the behavior of exim, check to see if any email accoount has been compromised. For eg: please see the following log;

2011-11-01 15:01:13 [22561] 1RLMON-0005rt-OR <= test@domain.com H=(uuoulhgwf) [50.50.50.50]:47384
I=[100.100.100.100]:25 P=esmtpa A=dovecot_login:test@domain.com S=2291 T="\252k\260\352\263\261\262\364\274W\244j\263n\273I
\260t\244\321\250\317\251\312\274\244\257\273 \244k\251\312\274\351\247j\252\272\257\265\304_cxgwe"
from <test@domain.com> for linpr84@yahoo.com.tw sandyhung212@yahoo.com.tw eric_shieh0225@yahoo.com.tw
k1672x2@yahoo.com.tw blue12820@yahoo.com.tw briste00@yahoo.com.tw lisa34052@yahoo.com.tw ekke9889@yahoo.com.tw
ca438383@yahoo.com.tw rose-7945@yahoo.com.tw kenny559855@yahoo.com.tw z0913437700@yahoo.com.tw andre1528@yahoo.com.tw
jintinw@yahoo.com.tw m5200529@yahoo.com.tw 0930851353@yahoo.com.tw s58223315@yahoo.com.tw cherry80829@yahoo.com.tw
yanshu1234@yahoo.com.tw

You can use the following command to get the dovecot logins to the email accounts in the server(attempts via email client)

egrep -o 'dovecot_login[^ ]+' /var/log/exim_mainlog | sort|uniq -c|sort -nk 1

For eg:

root@ [~]# egrep -o 'dovecot_login[^ ]+' /var/log/exim_mainlog | sort|uniq -c|sort -nk 1
--------
 294 dovecot_login:support+domain1.com
 309199 dovecot_login:test@domain.com
-------

The email account test@domain.com was logged in 309199 times. So it is definitely compromised.

To get the actual details, ie the details about the email account logged in via webmail, use the following command,
Eg:

root@ [~]# grep "/webmail/x3/?login=1" /usr/local/cpanel/logs/access_log | grep test@domain.com | grep -Ev
 'cPanel_magic_revision|squirrelmail|roundcube|horde'

 30.40.50.60 proxy test@domain.com [11/01/2011:22:33:30 -0000] "GET /webmail/x3/?login=1 
HTTP/1.1" 200 0 "http://webmail.domain.com/webmaillogout.cgi" "Mozilla/4.0 (compatible; 
MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.1)"30.40.50.60 proxy 
test@domain.com [11/01/2011:22:33:34 -0000] "GET /webmail/x3/mail/passwdpop.html?redirectdomain
=&email=larry&domain=domain.com HTTP/1.1" 200 0 "http://webmail.domain.com/webmail/x3/?login=1"
 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.1)"

Viruses that get into the PC affect the email client to get the password of the email accounts. It will then send spam emails using the email client from that PC in back ground. Viruses can also send the email/password details to a remote server from where the spammers can send bulk emails.

To get the dovecot login count for the last 1 to 2 hours on the server use the below command,

hour=`date | awk {'print $4'} | cut -d: -f 1`; lasthour=`expr $hour - 1`; grep "`date -I` $lasthour" /var/log/exim_mainlog |egrep
-o 'dovecot_login[^ ]+' | sort|uniq -c|sort -nk 1

For example:

root@ [~]# hour=`date | awk {'print $4'} | cut -d: -f 1`; lasthour=`expr $hour - 1`; grep "`date -I` $lasthour" /var/log/exim_mainlog |egrep -o 'dovecot_login[^ ]+' | sort|uniq -c|sort -nk 1

   1585 dovecot_login:test@domain.com
Advertisements
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: