Has my server been hacked?

18 posts / 0 new
Last post
#1 Tue, 03/01/2016 - 09:13
Brook

Has my server been hacked?

I've started to receive unusual emails, that look like they come from my own domain.

They are sent to me@mydomain.com and sent from emails that do not exist, like documents@mydomain.com

Looking at the headers seems to look like it would had I sent the email myself from a legitimate email. Apart from the send IP which is obviously not me (the IP is located in the middle east).

Here is the header:

Content-Type: multipart/mixed; boundary="----=_NextPart_000_0083_01D16275.41EF9110"
Mime-Version: 1.0
X-Mailer: Microsoft Office Outlook 11
Return-Path: <documents@MY-DOMAIN.com>
X-Mimeole: Produced By Microsoft MimeOLE V6.1.7601.17609
X-Antivirus: avast! (VPS 160208-2, Tue, 01 Mar 2016 06:50:46 -0700), Outbound message
X-Original-To: ME@MY-DOMAIN.com
X-Original-To: MY-DOMAIN.com
Received: from bzq-85-130-211-101.static.bezeqint.net (bzq-85-130-211-101.static.bezeqint.net [85.130.211.101]) by server.MY-HOSTNAME-DOMAIN.net (Postfix) with ESMTP id BA6111C800F9 for <ME@MY-DOMAIN.com>; Tue,  1 Mar 2016 14:50:17 +0000 (GMT)
Delivered-To: me-mydomain.com@server.MY-HOSTNAME-DOMAIN.net
Message-Id: <F2A8FBD4E414B9C9D073DB58A1EA8A@MY-DOMAIN.com>
X-Antivirus-Status: Clean
Emailing: MX62EDO  01.03.2016

(85.130.211.101 is not my IP (it's in the Middle East))

I have an SPF record:

"v=spf1 a mx a:mydomain.com a:server.myhostnamedomain.net ip4:my.ip.add.ress -all"

Any idea what is going on?

Until recently I only ran FirewallD, but now I have installed CSF (config server firewall).

Tue, 03/01/2016 - 09:59
andreychek

Howdy,

I don't believe there is anything wrong on your server.

That Received-By header is showing that the email originated from the IP "85.130.211.101", which appears to be in Israel.

Now, that could possible be a user on your server whose PC was infected.

But my guess is that you're just receiving spam from a spammer whose creating emails to use a name you'd recognize (and be more likely to open).

-Eric

Tue, 03/01/2016 - 12:19
Brook

Thanks for the reply Eric.

Which are the best logs to look in so that I can see which emails were actually sent via the server? (We use postfix and dovecot on the server) I'll be worried if I see these in there, eek!

Congrats on the new look of the site btw - looks great!

Tue, 03/01/2016 - 20:11
andreychek

Howdy,

I don't believe that was the case, the headers suggest that an email was sent it from a remote system, to a user on your server. The headers don't show that the user authenticated, so they shouldn't have been able to relay through your server.

What you're seeing there is fairly normal (unfortunately). It doesn't jump out at me as a cause for concern.

However, you can review the email logs if you'd like to double-check, you can find those in either /var/log/maillog, or /var/log/mail.log, depending on your distro.

-Eric

Wed, 03/02/2016 - 20:48
Brook

Hi Eric,

When I look at the headers it seems just like my legitimate emails - which is what got me worried.

It also seems to be in the log:

Mar  2 16:18:02 rock postfix/qmgr[1433]: C15C31C801E5: removed
Mar  2 16:19:08 rock postfix/smtpd[4159]: connect from unknown[117.214.114.152]
Mar  2 16:19:09 rock postfix/smtpd[4159]: 2CBDE1C801E5: client=unknown[117.214.114.152]
Mar  2 16:19:09 rock postfix/cleanup[3164]: 2CBDE1C801E5: message-id=<201602251224149A.DCSML-S000280000.000074DD9C46@mydomain.com>
Mar  2 16:19:09 rock postfix/qmgr[1433]: 2CBDE1C801E5: from=<admin@mydomain.com>, size=3888, nrcpt=1 (queue active)
Mar  2 16:19:09 rock postfix/local[4164]: 2CBDE1C801E5: to=<me-mydomain.com@host.mydomain.net>, orig_to=<me@mydomain.com>, relay=local, delay=0.44, delays=0.4/0.01/0/0.04, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Mar  2 16:19:09 rock postfix/qmgr[1433]: 2CBDE1C801E5: removed
Mar  2 16:19:09 rock postfix/smtpd[4159]: disconnect from unknown[117.214.114.152]
  • The 117.214 IP is not mine.
  • The me@ email is my email address
  • The admin@ email is the suspect account that the email was sent from - there is no admin@ user in my virtualmin account for this domain.

What do you think? I'm kinda more worried now :/

Thu, 03/03/2016 - 14:46
andreychek

Howdy,

I wouldn't be the slightest bit worried about that. Anyone can forge an email and send it to any account on your server. It's possible to forge emails from your address.

That doesn't mean your server is compromised, it's just a forged email address.

-Eric

Fri, 03/04/2016 - 07:50
Brook

Thanks for the reply Eric :)

I am a little confused though, if the email is showing in the mail log as a postfix entry, doesn't that mean that they are using our smtp server(/postfix) to send the email?

Mar  2 16:19:09 rock postfix/qmgr[1433]: 2CBDE1C801E5: from=<admin@mydomain.com>, size=3888, nrcpt=1 (queue active)
Fri, 03/04/2016 - 10:36
andreychek

If email is coming or going on your server, Postfix has to be involved.

And any server on the Internet may send an email to your server.

This server simply created a new email, with forged contact information, and sent it to your server. The result of that is what you saw in the logs above.

They don't have any special access on your server, that's just the normal Postfix message saying "Hey, someone gave me a message to deliver, and here's what I'm doing with it".

-Eric

Fri, 03/04/2016 - 11:32
Brook

Thanks Eric :-) (I thought Postfix was only involved in the sending of email, as I have Dovecot installed for the pop3/receiving side.)

One last question, are there any logs I can look at to see emails that have actually been sent by my server?

Sun, 03/06/2016 - 20:28 (Reply to #9)
DonX

Hello, you should be able to see what emails were sent from your server in the maillog at: var/log/maillog or where ever your mail log is.

Wed, 03/23/2016 - 08:07 (Reply to #10)
Brook

Hi DonX, please see Eric's reply above. He said that it doesn't matter if an email is present in the log.

However I have to say I have become even more concerned, I am now getting emails from (some of our) email addresses that are very rarely (or never used) to send out email. Such as paypal@ourdomain (a forwarding) and mail@mydomain usually used with newsletters, e.g. mail+some_newletter_name@mydomain.

Is there anyway to check which emails are actually being sent via our SMTP server?

Thu, 03/24/2016 - 17:14 (Reply to #11)
DonX

Hello Brook,

It appears that someone or something most likely is making a fake email address (forged) and using your smtp server to send email either locally on your server or out into the world. See this link as to how it is done basically: http://www.wikihow.com/Forge-Email

Basically what the person or persons is doing is check a sever for an open smtp relay, connect to it, forge an email and send the email via your smtp server. It's basically how spam and junk emails are sent these days.

If you want to check what open relays you have, if this is the case for you, go to this site and type in your server ip address: http://mxtoolbox.com

You should be able to see from the results if smtp is an open relay. If so, you have to close this open relay and one way to do it is go into your postfix settings and make sure you have Authentication enabled for smtp.

Wed, 03/23/2016 - 23:16
andreychek

Well, it's not that it doesn't matter if it's in the logs... using the logs, you can determine the source of every email.

So using the logs, it's possible to determine that the email originated from another server, but it still had your email address.

In the example you shared above, it would show where any given email was originating from -- shortly above the entry you shared should also be an associated entry showing the IP address.

The answer to your recent question should be similar then -- in the logs, for any incoming or outgoing email, just look for the message that shows the IP address of where it originated. That will tell you if they're being sent by your SMTP server or not.

-Eric

Tue, 03/29/2016 - 11:51
Brook

Thanks for the replies both. Firstly I have checked on mxtoolbox and we are not running an open relay :)

I have also looked at the logs again, and I'm not sure how the IP address can help, because the server IP does not show anywhere - only my personal, ISP's own IP.

This is an email I sent, from one of my domains to another (both on the same server and the only IP shown is my personal IP that I get from my ISP):

Mar 29 17:24:10 rock postfix/smtpd[6343]: 28B411C80265: client=my.personal.IP.address.dyn.plus.net[46.46.64.46], sasl_method=PLAIN, sasl_username=my_name@my_domain_one.com
Mar 29 17:24:10 rock postfix/cleanup[7952]: 28B411C80265: message-id=<F86892D3-9FF0-4456-8203-81DBFD3317DB@my_domain_one.com>
Mar 29 17:24:10 rock postfix/qmgr[1433]: 28B411C80265: from=<my_name@my_domain_one.com>, size=558, nrcpt=1 (queue active)
Mar 29 17:24:10 rock postfix/local[7987]: 28B411C80265: to=<my-name-two.com@rock.myhostname.net>, orig_to=<my-name-two@my-domain-two.com>, relay=local, delay=0.24, delays=0.19/0.01/0/0.05, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Mar 29 17:24:10 rock postfix/qmgr[1433]: 28B411C80265: removed

So if the server IP does not show anywhere in the logs how can I tell which emails are sent by my server and which ones are fake?

Shouldn't fake emails only be showing with dovecot entries since they are only being received by my server? (I thought postfix entries would only show for emails being sent via my server's SMTP server. Why are the 'fake' entries showing as genuine postfix entries?).

EDIT:

Here is the latest 'fake' email in the logs:

Mar 29 17:36:05 rock postfix/smtpd[11924]: warning: hostname abts-kk-dynamic-059.37.179.122.airtelbroadband.in does not resolve to address 122.179.37.59: Name or service not known
Mar 29 17:36:05 rock postfix/smtpd[11924]: connect from unknown[122.179.37.59]
Mar 29 17:36:06 rock postfix/smtpd[11924]: 0CC6C1C8029D: client=unknown[122.179.37.59]
Mar 29 17:36:06 rock postfix/cleanup[11885]: 0CC6C1C8029D: message-id=<3207203C-2438-51AB-FE38-FD941F91E915@mydomain.com>
Mar 29 17:36:06 rock postfix/qmgr[1433]: 0CC6C1C8029D: from=<me@mydomain.com>, size=4971, nrcpt=1 (queue active)
Mar 29 17:36:06 rock postfix/local[11933]: 0CC6C1C8029D: to=<me-mydomain.com@rock.myserverdomain.net>, orig_to=<me@mydomain.com>, relay=local, delay=0.63, delays=0.58/0.01/0/0.04, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Mar 29 17:36:06 rock postfix/qmgr[1433]: 0CC6C1C8029D: removed
Mar 29 17:36:06 rock postfix/smtpd[11924]: disconnect from unknown[122.179.37.59]

Obv 122.179.37.59 is not my personal IP - and if it was replaced by my own IP it would look like a genuine request, hence my confusion. Sorry if I am missing something here.

Surely there has to be an easier way to see which emails are actually being sent by my server?

Tue, 03/29/2016 - 12:35
andreychek

Howdy,

Hmm, I'm not entirely certain what you're asking?

It's normal to see spammers attempt to send spam with fake email addresses, including using your own email address. There's also not much you can do about it.

Your server isn't doing anything wrong though. It's not relaying this email externally, which is good. Spammers are just sending spam to your server... which is a very unfortunate thing we all have going on.

If you aren't using SPF, you may want to enable that. SPF would make tools like SpamAssassin more likely to mark it as spam.

You may also want to enable greylisting, if it isn't already, which can further reduce spam.

-Eric

Wed, 03/30/2016 - 17:15
chupi

You can see the mails sent from:

Webmin -> Servers -> Postfix Mail Server -> User Mailboxes

and choose the user account

Thu, 03/31/2016 - 11:43 (Reply to #16)
Brook

Hi - where does it show emails sent by our SMPT server? It has emails sent TO mailboxes :/

Thu, 03/31/2016 - 08:32
Brook

Hi Eric

Apologies if I am not explaining myself very well.

I understand that spam is common, and even spam that looks like it has been sent from our own domains. However the thing that concerns me is that by looking at the headers of these 'fake' emails, they look indistinguishable from those that might be sent by myself. The only difference is the IP address (which isn't the server's IP as that isn't shown anywhere, but the IP of the sender - which would be different depending on the user's ISP).

Hence my question, which is how can we tell which emails are actually sent via our SMTP server?

(Not those received by it, but those actually sent via it.)

If this is still not making sense let me know and I'll try my best to rephrase it.