Importance of Good Passwords

Had an issue with a customers server and it being reported of sending out spam.

Went and had a look at the mail queue and there were a couple of hundred rejected emails sitting in the queue unable to be delivered due to invalid addresses. So how many had been sent to successful addresses?

/var/log/maillog

cat /var/log/maillog|grep "from=<
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >"
Feb 26 23:51:48 xxx sendmail[24483]: o1QApmA3024483: from=<
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >, size=2517,, nrcpts=100, msgid=<
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >, proto=ESMTP, daemon=Daemon0, relay=localhost [127.0.0.1]
Feb 26 23:52:45 xxx sendmail[24573]: o1QAqj3q024573: from=<
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >, size=2517,, nrcpts=100, msgid=<
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >, proto=ESMTP, daemon=Daemon0, relay=localhost [127.0.0.1]
Feb 27 00:01:55 xxx sendmail[25544]: o1QB1tZ0025544: from=<
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >, size=2513,, nrcpts=100, msgid=<
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >, proto=ESMTP, daemon=Daemon0, relay=localhost [127.0.0.1]
Feb 27 00:03:49 xxx sendmail[25898]: o1QB3nvL025898: from=<
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >, size=2513,, nrcpts=100, msgid=<
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >, proto=ESMTP, daemon=Daemon0, relay=localhost [127.0.0.1]

then

cat /var/log/maillog|grep -c "from=<
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >"
70

70 emails sent with 60 to 100 recipients in each.

var/log/http/access.log

cat /var/log/httpd/access_log|grep "26/Feb/2010:23:52"
cat /var/log/httpd/access_log|grep "26/Feb/2010:23:52"
cat /var/log/httpd/access_log|grep "27/Feb/2010:00:01"
cat /var/log/httpd/access_log|grep "27/Feb/2010:00:03"

Each one has a compose statment from Horde

41.217.65.3 - - [26/Feb/2010:23:52:18 +1300] "POST /horde/imp/compose.php?uniq=62pyjpm6iua1 HTTP/1.1" 200 73 "http://xxx.xxxxxx.net.nz/horde/imp/compose.php?thismailbox=INBOX&uniq=1267181512410" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; InfoPath.2)"

/tmp/horde.log

Therefore lets have a look at the Horde log file.

cat /tmp/horde.log |grep "Feb 26 23:"

Feb 26 23:49:39 HORDE [notice] [imp] Login success for 
  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
  [41.217.65.3] to {xxx.xxxxxx.net.nz:143} [on line 154 of "/var/www/html/horde/imp/redirect.php"]

Notice the IP address 41.217.65.3

cat /var/log/httpd/access_log|grep "41.217.65.3"|grep -c  /horde/imp/compose.php
2024

That is 2024 accesses to compose emails from this IP Address.

This is not a program but a person who has cracked the user This e-mail address is being protected from spambots. You need JavaScript enabled to view it password and is using this account to send spam.

cat /tmp/horde.log |grep "41.217.65.3"

Shows this started on the 19th, but did not take off till the 25th.

41.217.65.3

whois 41.217.65.3

[Querying whois.afrinic.net]

[whois.afrinic.net]

% This is the AfriNIC Whois server.

 

% Note: this output has been filtered.

 

% Information related to '41.217.0.0 - 41.217.127.255'

 

inetnum: 41.217.0.0 - 41.217.127.255

netname: ZOOMNIGERIA

descr: ZOOM Mobile Nigeria Ltd

country: NG

admin-c: AI22-AFRINIC

tech-c: EK8-AFRINIC

org: ORG-ZMNL1-AFRINIC

status: ALLOCATED PA

mnt-by: AFRINIC-HM-MNT

mnt-lower: ZOOMNIGERIA-MNT

mnt-domains: ZOOMNIGERIA-MNT

source: AFRINIC # Filtered

parent: 41.0.0.0 - 41.255.255.255

 

organisation: ORG-ZMNL1-AFRINIC

org-name: ZOOM Mobile Nigeria Ltd

org-type: LIR

country: NG

address: 8A, Adeola Odeku Street

address: City: Victoria Island, Lagos

address: Postal Code: 999999*

address: Lagos

e-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

e-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

e-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

phone: +234-1-4312811

admin-c: AI22-AFRINIC

admin-c: TI3-AFRINIC

tech-c: EK8-AFRINIC

mnt-ref: AFRINIC-HM-MNT

mnt-ref: ZOOMNIGERIA-MNT

mnt-by: AFRINIC-HM-MNT

source: AFRINIC # Filtered

 

person: Andy Ibekaku

remarks: Chief Technical Officer (CTO)

remarks: ZOOM Mobile Nigeria Ltd

address: 8A, Adeola Odeku Street,

address: Victoria Island,

address: Lagos, Nigeria

phone: +23414807505

e-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

org: ORG-ZMNL1-AFRINIC

nic-hdl: AI22-AFRINIC

mnt-by: ZOOMNIGERIA-MNT

source: AFRINIC # Filtered

 

person: Emi Kennedy

remarks: IP/VSAT Transmission

remarks: ZOOM Mobile Nigeria Ltd

address: 8A, Adeola Odeku Street,

address: Victoria Island,

address: Lagos, Nigeria

phone: +23414312811

</code>

 

Not much luck going there.

 

Copyright © 2009 -Access Information Limited-.
All Rights Reserved.

Joomla template created with Artisteer.