[SOLVED] Has my server been compromised?

[alapierre]

I had a HUGE surge of outgoing spam messages being sent from my server, found 1500 deferred messages that were sent within the past hour to tons of random yahoo/hotmail accounts. I quickly started checking logs, and in the audits.log file I found an account that was logging in thousands of times, it was a general email account that nobody uses. I quickly changed the password and the emails stopped. What worries me is that the IP Address that it was logging from is the external IP for my mail server. The log looks like this

Code:

2010-04-29 15:11:44,176 INFO  [btpool0-305] [ip=external ip removed;] security - cmd=Auth; account=<general address removed>; protocol=soap;

So...since they were coming from my server IP, has my server been compromised? How can I find out what has happened? It seems I've been fighting spam going from my server for a while now, but every time I think I have it locked down, this happens again. This was the first time I actually found an account tied to the spam though...any help is greatly appreciated! Thanks :-)

Edit:

Who/whatever did this is still trying to login repeatedly, but is getting the "invalid password" error logged to the audit.log file.

[n4bbq]

Yes, somehow they had guessed an account password.

Sounds like you have it under control now.

[alapierre]

Should I worry that the login IP was coming from my own server?

[n4bbq]

I am "assuming" the spammer was using port 80 to log in and generate the SPAM and that is why you are seeing the IP address of your actual mail server and not the IP address of the spammer.

If you have kept your server updated and you have a local firewall running (iptables or similar), I'd think that your server is fine.

[alapierre]

Great. Thanks for your help!

[owl700]

Have you applied this? I do not know if your version is affected first search the forum to make sure

Critical Security Issue

[dwmtractor]

Have you applied this? I do not know if your version is affected first search the forum to make sure

Critical Security Issue

This is a pretty old security issue, back in the 4.x series. The user's profile says he's using 5.0.9, which is WAY beyond when this was patched, so it should not be an issue.

[blazeking]

We had a similar error (webmail spoofed), but my log showed the IP of the hacker:

Code:

2010-01-19 00:12:17,989 INFO [btpool0-22965://localhost/service/soap/AuthRequest] [name=account@ourdomain.com;oip=173.162.144.38;ua=zclient/6.0.4_GA_2038.RHEL5_64;] security - cmd=Auth; account=account@ourdomain.com; protocol=soap;

Changing the password fixed the problem for us as well:

Code:

2010-01-19 14:23:51,075 WARN [btpool0-23545://localhost/service/soap/AuthRequest] [name=account@ourdomain.com;oip=64.251.25.150;ua=zclient/6.0.4_GA_2038.RHEL5_64;] security - cmd=Auth; account=account@ourdomain.com; protocol=soap; error=authentication failed for account@ourdomain.com, account(or domain) status is closed;