Help - hacked server

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
akerber00
New user
New user
Posts: 16
Joined: 2008-06-04 05:28

Help - hacked server

Post by akerber00 » 2008-09-22 16:04

I have been hacked, but I cant figure out how to keep this guy from logging in. Can anyone tell me how to keep this guy from using my server to send spam? I cant even tell what account he is using.

Here is the transcript:

"TCPIP" 3284 "2008-09-22 08:52:09.194" "Created accept socket 1384 on listening socket 924"
"DEBUG" 3284 "2008-09-22 08:52:09.194" "Socket::Socket(ID: 330)"
"SMTPD" 3284 330 "2008-09-22 08:52:09.194" "92.83.231.148" "SENT: 220 dbakerber.net ESMTP"
"SMTPD" 3284 330 "2008-09-22 08:52:09.397" "92.83.231.148" "RECEIVED: EHLO User"
"SMTPD" 3284 330 "2008-09-22 08:52:09.397" "92.83.231.148" "SENT: 250-hmailserver[nl]250-SIZE[nl]250 AUTH LOGIN"
"SMTPD" 3284 330 "2008-09-22 08:52:09.631" "92.83.231.148" "RECEIVED: AUTH LOGIN"
"SMTPD" 3284 330 "2008-09-22 08:52:09.631" "92.83.231.148" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 3284 330 "2008-09-22 08:52:09.819" "92.83.231.148" "RECEIVED: b3JhY2xl"
"SMTPD" 3284 330 "2008-09-22 08:52:09.819" "92.83.231.148" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 3284 330 "2008-09-22 08:52:10.053" "92.83.231.148" "RECEIVED: b3JhY2xl"
"SMTPD" 3284 330 "2008-09-22 08:52:10.053" "92.83.231.148" "SENT: 235 authenticated."
"SMTPD" 3284 257 "2008-09-22 08:52:10.100" "221.234.24.46" "RECEIVED: RCPT TO:<hum@aol.com>"
"SMTPD" 3284 257 "2008-09-22 08:52:10.100" "221.234.24.46" "SENT: 250 OK"
"SMTPD" 3284 330 "2008-09-22 08:52:10.272" "92.83.231.148" "RECEIVED: RSET"
"SMTPD" 3284 330 "2008-09-22 08:52:10.272" "92.83.231.148" "SENT: 250 OK"
"SMTPD" 3284 281

GlenC
Senior user
Senior user
Posts: 680
Joined: 2004-08-17 23:31
Location: Santiago, Chile

Re: Help - hacked server

Post by GlenC » 2008-09-22 16:32

He´s logging in via your "oracle" account... you really, really need to change that password. (and any like it)

akerber00
New user
New user
Posts: 16
Joined: 2008-06-04 05:28

Re: Help - hacked server

Post by akerber00 » 2008-09-22 16:38

How can you tell it is the oracle account?

GlenC
Senior user
Senior user
Posts: 680
Joined: 2004-08-17 23:31
Location: Santiago, Chile

Re: Help - hacked server

Post by GlenC » 2008-09-22 16:58

The random looking characters in that snippet are only base64 encoded representations of the username and password, they aren´t encrypted. I decoded them here:
http://www.opinionatedgeek.com/dotnet/t ... fault.aspx

akerber00
New user
New user
Posts: 16
Joined: 2008-06-04 05:28

Re: Help - hacked server

Post by akerber00 » 2008-09-22 17:56

Ok, thanks. I changed the password for Oracle, but what I really need to do is set that account to internal network only. Is that possible (ie, only take messages if it is coming from my internal network, as opposed to the internet)?

GlenC
Senior user
Senior user
Posts: 680
Joined: 2004-08-17 23:31
Location: Santiago, Chile

Re: Help - hacked server

Post by GlenC » 2008-09-23 00:42

Maybe you can do something with a rule (or script) that would work. There is no option provided in hMailserver for that though.

Post Reply