Importance of Good PasswordsHad an issue with a customers server and it being reported of sending out spam. Went and had a look at the mail queue and there were a couple of hundred rejected emails sitting in the queue unable to be delivered due to invalid addresses. So how many had been sent to successful addresses? /var/log/maillogcat /var/log/maillog|grep "from=< This e-mail address is being protected from spambots. You need JavaScript enabled to view it >" Feb 26 23:51:48 xxx sendmail[24483]: o1QApmA3024483: from=< This e-mail address is being protected from spambots. You need JavaScript enabled to view it >, size=2517,, nrcpts=100, msgid=< This e-mail address is being protected from spambots. You need JavaScript enabled to view it >, proto=ESMTP, daemon=Daemon0, relay=localhost [127.0.0.1] Feb 26 23:52:45 xxx sendmail[24573]: o1QAqj3q024573: from=< This e-mail address is being protected from spambots. You need JavaScript enabled to view it >, size=2517,, nrcpts=100, msgid=< This e-mail address is being protected from spambots. You need JavaScript enabled to view it >, proto=ESMTP, daemon=Daemon0, relay=localhost [127.0.0.1] Feb 27 00:01:55 xxx sendmail[25544]: o1QB1tZ0025544: from=< This e-mail address is being protected from spambots. You need JavaScript enabled to view it >, size=2513,, nrcpts=100, msgid=< This e-mail address is being protected from spambots. You need JavaScript enabled to view it >, proto=ESMTP, daemon=Daemon0, relay=localhost [127.0.0.1] Feb 27 00:03:49 xxx sendmail[25898]: o1QB3nvL025898: from=< This e-mail address is being protected from spambots. You need JavaScript enabled to view it >, size=2513,, nrcpts=100, msgid=< This e-mail address is being protected from spambots. You need JavaScript enabled to view it >, proto=ESMTP, daemon=Daemon0, relay=localhost [127.0.0.1] then cat /var/log/maillog|grep -c "from=< This e-mail address is being protected from spambots. You need JavaScript enabled to view it >" 70 emails sent with 60 to 100 recipients in each. var/log/http/access.logcat /var/log/httpd/access_log|grep "26/Feb/2010:23:52" Each one has a compose statment from Horde 41.217.65.3 - - [26/Feb/2010:23:52:18 +1300] "POST /horde/imp/compose.php?uniq=62pyjpm6iua1 HTTP/1.1" 200 73 "http://xxx.xxxxxx.net.nz/horde/imp/compose.php?thismailbox=INBOX&uniq=1267181512410" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; InfoPath.2)" /tmp/horde.logTherefore lets have a look at the Horde log file. cat /tmp/horde.log |grep "Feb 26 23:" Feb 26 23:49:39 HORDE [notice] [imp] Login success for
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
[41.217.65.3] to {xxx.xxxxxx.net.nz:143} [on line 154 of "/var/www/html/horde/imp/redirect.php"]
Notice the IP address 41.217.65.3 cat /var/log/httpd/access_log|grep "41.217.65.3"|grep -c /horde/imp/compose.php 2024 That is 2024 accesses to compose emails from this IP Address. This is not a program but a person who has cracked the user This e-mail address is being protected from spambots. You need JavaScript enabled to view it password and is using this account to send spam. cat /tmp/horde.log |grep "41.217.65.3" Shows this started on the 19th, but did not take off till the 25th. 41.217.65.3whois 41.217.65.3 [Querying whois.afrinic.net] [whois.afrinic.net] % This is the AfriNIC Whois server.
% Note: this output has been filtered.
% Information related to '41.217.0.0 - 41.217.127.255'
inetnum: 41.217.0.0 - 41.217.127.255 netname: ZOOMNIGERIA descr: ZOOM Mobile Nigeria Ltd country: NG admin-c: AI22-AFRINIC tech-c: EK8-AFRINIC org: ORG-ZMNL1-AFRINIC status: ALLOCATED PA mnt-by: AFRINIC-HM-MNT mnt-lower: ZOOMNIGERIA-MNT mnt-domains: ZOOMNIGERIA-MNT source: AFRINIC # Filtered parent: 41.0.0.0 - 41.255.255.255
organisation: ORG-ZMNL1-AFRINIC org-name: ZOOM Mobile Nigeria Ltd org-type: LIR country: NG address: 8A, Adeola Odeku Street address: City: Victoria Island, Lagos address: Postal Code: 999999* address: Lagos e-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it e-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it e-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it phone: +234-1-4312811 admin-c: AI22-AFRINIC admin-c: TI3-AFRINIC tech-c: EK8-AFRINIC mnt-ref: AFRINIC-HM-MNT mnt-ref: ZOOMNIGERIA-MNT mnt-by: AFRINIC-HM-MNT source: AFRINIC # Filtered
person: Andy Ibekaku remarks: Chief Technical Officer (CTO) remarks: ZOOM Mobile Nigeria Ltd address: 8A, Adeola Odeku Street, address: Victoria Island, address: Lagos, Nigeria phone: +23414807505 e-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it org: ORG-ZMNL1-AFRINIC nic-hdl: AI22-AFRINIC mnt-by: ZOOMNIGERIA-MNT source: AFRINIC # Filtered
person: Emi Kennedy remarks: IP/VSAT Transmission remarks: ZOOM Mobile Nigeria Ltd address: 8A, Adeola Odeku Street, address: Victoria Island, address: Lagos, Nigeria phone: +23414312811 </code>
Not much luck going there. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||







