Page 1 of 1

Help - hacked server

Posted: 2008-09-22 16:04
by akerber00
I have been hacked, but I cant figure out how to keep this guy from logging in. Can anyone tell me how to keep this guy from using my server to send spam? I cant even tell what account he is using.

Here is the transcript:

"TCPIP" 3284 "2008-09-22 08:52:09.194" "Created accept socket 1384 on listening socket 924"
"DEBUG" 3284 "2008-09-22 08:52:09.194" "Socket::Socket(ID: 330)"
"SMTPD" 3284 330 "2008-09-22 08:52:09.194" "92.83.231.148" "SENT: 220 dbakerber.net ESMTP"
"SMTPD" 3284 330 "2008-09-22 08:52:09.397" "92.83.231.148" "RECEIVED: EHLO User"
"SMTPD" 3284 330 "2008-09-22 08:52:09.397" "92.83.231.148" "SENT: 250-hmailserver[nl]250-SIZE[nl]250 AUTH LOGIN"
"SMTPD" 3284 330 "2008-09-22 08:52:09.631" "92.83.231.148" "RECEIVED: AUTH LOGIN"
"SMTPD" 3284 330 "2008-09-22 08:52:09.631" "92.83.231.148" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 3284 330 "2008-09-22 08:52:09.819" "92.83.231.148" "RECEIVED: b3JhY2xl"
"SMTPD" 3284 330 "2008-09-22 08:52:09.819" "92.83.231.148" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 3284 330 "2008-09-22 08:52:10.053" "92.83.231.148" "RECEIVED: b3JhY2xl"
"SMTPD" 3284 330 "2008-09-22 08:52:10.053" "92.83.231.148" "SENT: 235 authenticated."
"SMTPD" 3284 257 "2008-09-22 08:52:10.100" "221.234.24.46" "RECEIVED: RCPT TO:<hum@aol.com>"
"SMTPD" 3284 257 "2008-09-22 08:52:10.100" "221.234.24.46" "SENT: 250 OK"
"SMTPD" 3284 330 "2008-09-22 08:52:10.272" "92.83.231.148" "RECEIVED: RSET"
"SMTPD" 3284 330 "2008-09-22 08:52:10.272" "92.83.231.148" "SENT: 250 OK"
"SMTPD" 3284 281

Re: Help - hacked server

Posted: 2008-09-22 16:32
by GlenC
He´s logging in via your "oracle" account... you really, really need to change that password. (and any like it)

Re: Help - hacked server

Posted: 2008-09-22 16:38
by akerber00
How can you tell it is the oracle account?

Re: Help - hacked server

Posted: 2008-09-22 16:58
by GlenC
The random looking characters in that snippet are only base64 encoded representations of the username and password, they aren´t encrypted. I decoded them here:
http://www.opinionatedgeek.com/dotnet/t ... fault.aspx

Re: Help - hacked server

Posted: 2008-09-22 17:56
by akerber00
Ok, thanks. I changed the password for Oracle, but what I really need to do is set that account to internal network only. Is that possible (ie, only take messages if it is coming from my internal network, as opposed to the internet)?

Re: Help - hacked server

Posted: 2008-09-23 00:42
by GlenC
Maybe you can do something with a rule (or script) that would work. There is no option provided in hMailserver for that though.