You have been compromised - Send From [email protected]

Discussion in 'ISPConfig 3 Priority Support' started by Siridion M. Cabudlan, Jun 27, 2020.

Tags:
  1. Good Day to all,
    I really need your help, guys!
    Some bud guys, retrieve all the email address from our email server.
    And send email message to every email users with the subject: “You have been compromised”

    full headers from an e-mail message.
    Code:
    Return-Path: <[email protected]>
    Delivered-To: [email protected]
    Received: from localhost (localhost [127.0.0.1])
        by mail.mydomain.com (Postfix) with ESMTP id 21337C8242F
        for <[email protected]>; Fri, 26 Jun 2020 17:06:41 +0800 (PST)
    X-Virus-Scanned: Debian amavisd-new at mail.mydomain.com
    X-Spam-Flag: NO
    X-Spam-Score: 2.274
    X-Spam-Level: **
    X-Spam-Status: No, score=2.274 tagged_above=1 required=4.5
        tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
        DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,
        RCVD_IN_MSPIKE_H2=-0.001, SORTED_RECIPS=2.474, SPF_PASS=-0.001]
        autolearn=no autolearn_force=no
    Authentication-Results: mail.mydomain.com (amavisd-new);
        dkim=pass (2048-bit key) header.d=yahoo.com
    Received: from mail.mydomain.com ([127.0.0.1])
        by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id c8IMfS8SfwNZ for <[email protected]>;
        Fri, 26 Jun 2020 17:06:40 +0800 (PST)
    Received: from sonic308-35.consmr.mail.ne1.yahoo.com (sonic308-35.consmr.mail.ne1.yahoo.com [66.163.187.58])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.mydomain.com (Postfix) with ESMTPS id BF92DC825DF
        for <[email protected]>; Fri, 26 Jun 2020 17:06:28 +0800 (PST)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1593162385; bh=sZ6sp2VMy/ORQ5+uF7AJ57o+lenDg/SUsL7P1h9o/lg=; h=Date:From:To:Subject:References:From:Subject; b=nYxeqEC5vnMPPeKjqpFN+TwO5rUnDGkkJqURIhfaQdSGBnXR6DKzWZfbZDnrMWgHOtcR/4S2+W8ye2YkJIdquelvAkg0ciI76ulsGof4L3AYudgAbT/2+Ij5D/ewJ3ydLLTWydYDOnsEdmam0JF/U7TblvYHOXmDuNa17Y7ffyfKrStZrXNvafRwdfYl5DbPmwT7QlIKSLxzALIOSdrJakrtGWgLax7Z7E1W0FY1BJF1fGFx4pofcsk3nMHC0fl+V0F90CQuCXZJBcpD2lIsz2/H8JYNjNomGBnRUkx1UkbyQvyPSerJEZkwFHEKxyEQWtIMlEvxIQNdjeMquCrekA==
    X-YMail-OSG: PdnP55gVM1lo78DsQLMd9eJOegMjr_NOuIrU.3MejQVdPboPv4iOiK9HR0KXoaM
        e3NzZs_NMYup6RMgg54xRfOxN8.renkyWtRsXJL8NIKnQTikDntN7U8aWcKg_DfYayiRUDt6MrUS
        nWt7jsbWjWEvG0yycjI6mznmiPWaffeTAA8nzM9PQE8Qht0E18VzACkvDWlWyLYWW5G3anUu73pl
        QLOhVvGduzztay6FknGG.7Zf7Qhg3sljd9879JZlTD54mCTJ27HjPq3X8wE4.sdApPxtKJ.JlLrJ
        2t_Rx8ilGGtQNJL8g6Hqlkj_Xef0pc6WuuworBuf__zmLnliseIY08V_pfzLWBcufY4XlK86sq0s
        Iovlkfr1IGWlHrDiZ5oN2bGbp05xhEioZPcsr8BuykodtmCDPejigb7KGrc16YxlG7KrdZJf4WGG
        kH95LkI8Rq5HSV8gjfz96.vUuml2PsfWws7hQC.DW._0aenBFaKjdcnkHzJsAwJoUqbiRtjVzGl2
        K9Eihi0fgnSSPhZW3wGz5onSq4vSabXR1eusuWUd2OqQeLps_PkRQh11vW7Zf_GBmeLElnpw1jxb
        JBdfBRKMv4oVVAM.S4.zhHyHEjzUARznN5JQyrvQqo9SXer52FLZLs4mAIqCfG6Clr4VnhYFeZEm
        kUeisff01njWhP8kD.2jc0tjpCrtd.unV_GB64L854quJk7vPndn_vH0glPg9R9.ynIXlSm0QAO2
        0h8wIGACVTC5ESyaaToZcUH2w3ySUxo7pw6ezwRFG7d3zUVICUxyZIq3lWYqpjFX9IiXVJESrCEY
        MmR5C4IXoTq6ktGNfaRcA.NBylYyd8uqgbaBm9kBmeGSY6lC_uEKQnLzEChoEJ9jhwpUmA4Wh7qk
        IGqGas26C9izydncFSisker040rmvWF3U6JrR8hK.uZge.d.ENKhsFYz7dkVw7_SECRwNtxhfLk0
        r5cKKZkdAOCpfHDz5uNoRPOletBYyonMpeVuNcMcdareU8e6Op9RO2iYPL1auXEWb6.79XFi6y4I
        3QpkA9oPTySiG4UQx.dEq0UffxACj3nijZWi29cCXzSkc8RS_I.atTFxGDiAgVbZZuEDI0InVHqx
        cmiRDWD9ZJ0uJke3NcebWDsfhP8KJEbDvV6MAV9lLG.Rw3Qtap4m9RWozO0S_KlfV0Pt202EXQB5
        a8g0PYMmASLOzugIun5ZJ_7xKSJnfVI3XUSHjc_f7rj6_mk4naTA9ooIbF5mxcvsfk0wfGn2HkZk
        Q9sVzNEaFS0Wf0gSUYN3tm.bQ2z.JZhrkGB20OEa_PuLrAOrd
    Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Fri, 26 Jun 2020 09:06:25 +0000
    Date: Fri, 26 Jun 2020 08:54:22 +0000 (UTC)
    From: Hatters Grey <[email protected]>
    To: "[email protected]" <[email protected]>,
        ... ,
        "[email protected]" <[email protected]>
    Message-ID: <[email protected]>
    Subject: You have been compromised
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
        boundary="----=_Part_4027757_1188417035.1593161662968"
    References: <[email protected]>
    X-Mailer: WebService/1.1.16138 YMailNorrin Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36
    

    Please help me, how to fix this problem.
     
    Last edited: Jun 27, 2020
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    That does not look like e-mail log. It is full headers from an e-mail message.
    The headers show your e-mail server received the message from Yahoo server. If the culprits had compromised your server or e-mail accounts, they could have proved that by sending their nefarious messages using your e-mail server.
    What problem are you fixing?
    You can complain to Yahoo that their email user sends SPAM or ransom messages.
     
    Siridion M. Cabudlan likes this.
  3. Hi @Taleman, thank you for the reply.
    I have some questions
    1.) It is safe to remove the spam email messages from vmail directory?
    2.) And how to check if our server has been compromised?
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    1. If you just remove the file, the e-mail index is wrong. You should re-index then. Or use admin commands of the e-mail system to remove the messages, that should preserve index or re-index afterwards
    2. I don't know a simple way to make sure server has not been compromised. Do you have a reason to believe it is compromised?
    That grayhatter sending to all your e-mail addresses does not indicate compromise. They may have purchased a list of e-mail addresses.
    If you are worried, there are ways to try to find compromises. ISPConfig has https://ispprotect.com/ for example.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Siridion M. Cabudlan likes this.
  6. Hi @till
    I have already purchase ISPProtect - 5 scans license, and scan /var/www directory, and the ISPProtect found nothing.

    It is possible that back-up email was intercept through the network.
    Because the back-up email was forwarded to goggle-drive using google-drive-ocamlfuse.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The most likely reason for your issue is that there is no issue at all. Receiving this kind of emails is normal, that's the usual spam, the emails are no indication that a system is compromised. If you don't want to contact yahoo that they close that account, then add a global mail filter in ISPConfig instead to delete these emails automatically when they arrive. So unless the text of these emails reveal anything that only someone could know that compromised your system, like the cleartext root password or something similar, then you should assume that your system has not been compromised.
     
    Th0m and Siridion M. Cabudlan like this.

Share This Page