Unusual attack on the mailbox

Community Support
1

Is there any way to decode the password to the user’s mailbox in the hestia panel? I know they are stored in /home/user/conf/mail/dom.ain/passwd, are they elsewhere?
I am asking because I had a very strange case where the server itself sent from the user’s account a text e-mail containing the server name, account name, port 587 and the decrypted password in text form to the attacker’s mailbox. I only know this because his server bounced that e-mail because of traffic congestion, so I was able to see the contents of that bounced e-mail. Eventually the mail was delivered and a massive spam mailing started from that account. It took about half an hour, the password was changed and I started observing the logs on the server. Almost the whole world tried to use this hacked account and it continues to this day (i.e. for about 2 weeks). Machines with completely different IPs are constantly trying to log in to that old password, the mechanism of adding permanent bans to iptables several hundred IP addresses and still adding them.
Question - how could the server itself send @ with the decoded password to the attacker’s mailbox. It was not a classic brute force attack because the attacker did not guess the password, he just got it.

Description: Ubuntu 20.04.3 LTS
and the system was fully up to date during the attack .

2

Probaly filled out “Email login credentials to:” while creating the mailbox?

3

Thanks for the answer, but that’s not the reason. The account has been on the server for a long time and previously it was also on the earlier version of ubuntu (I had the ehcp management panel there), the account itself is for many years. When setting in the panel hestia, was not sent anywhere because there was no such need. Brute force attacks took some time but were not successful, besides fail2ban keeps adding new ip addresses for permanent blocking. Here is a case that the account data was suddenly sent to the attacker’s mailbox.
I will give the logs as it looked like (I have modified the name on [email protected]):

/var/log/exim4/mainlog.1:2022-01-24 15:33:10 1nC0P8-00AuSa-LG malware acl condition: clamd /var/run/clamav/clamd.ctl : unable to connect to UNIX socket (/var/run/clamav/clamd.ctl): Connection refused
/var/log/exim4/mainlog.1:2022-01-24 15:33:10 1nC0P8-00AuSa-LG <= [email protected] H=ec2-54-219-198-77.us-west-1.compute.amazonaws.com (fairview.iu5.org) [54.219.198.77] P=esmtpa A=dovecot_login:[email protected] S=528 [email protected]

this is the first trace of an attempt to send this e-mail, for some unknown reason clamav did not work, maybe it is due to low RAM memory on the server .
Next:

/var/log/exim4/mainlog.1:2022-01-24 15:33:12 1nC0P8-00AuSa-LG H=mx01.mail.de [62.201.172.18]: SMTP error from remote mail server after RCPT TO:[email protected]: 450 Traffic is being throttled (rcpt-to address limit: (no name))

/var/log/exim4/mainlog.1:2022-01-24 15:33:13 1nC0P8-00AuSa-LG == [email protected] R=dnslookup T=remote_smtp defer (-44) H=mx02.mail.de [62.201.172.19]: SMTP error from remote mail server after RCPT TO:[email protected]: 450 Traffic is being throttled (rcpt-to address limit: (no name))

here is information from the target server that the message could not be delivered
Next:

/var/log/exim4/mainlog.1:2022-01-24 15:49:51 1nC0P8-00AuSa-LG ** [email protected] R=dnslookup T=remote_smtp H=mx02.mail.de [62.201.172.19] X=TLS1.2:ECDHE_SECP256R1__RSA_SHA256__AES_256_GCM:256 CV=yes: SMTP error from remote mail server after end of data: 550 SPAM id=153031::1643035791-00004BCC-6D162F08/17/50630

this is very interesting the target server bounced a message stating that it is spam
Next:

/var/log/exim4/mainlog.1:2022-01-24 15:49:51 1nC0fH-00AuoX-TO <= <> R=1nC0P8-00AuSa-LG U=Debian-exim P=local S=2004
/var/log/exim4/mainlog.1:2022-01-24 15:49:52 1nC0fH-00AuoX-TO => account [email protected] R=localuser T=dovecot_lmtp C=“250 2.0.0 [email protected] WYXVOI+87mHSsicAHhyrPw Saved”
/var/log/exim4/mainlog.1:2022-01-24 15:49:52 1nC0fH-00AuoX-TO Completed

here the server probably saved the bounced message in the inbox, his was the message:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
host mx02.mail.de [62.201.172.19]
SMTP error from remote mail server after end of data:
550 SPAM id=153031::1643035791-00004BCC-6D162F08/17/50630
Reporting-MTA: dns; xxx.xxx.forpsi.net

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0
Remote-MTA: dns; mx02.mail.de
Diagnostic-Code: smtp; 550 SPAM id=153031::1643035791-00004BCC-6D162F08/17/50630
Temat NB2401
Od [email protected]
Do [email protected]
Data 2022-01-24 15:33
mail.dom.ain,587,[email protected],open_text_password

However, the recipient somehow received this message because a massive spam mailing from this account began immediately afterwards.

Any suggestions?

4

Is there any chance that the attacker used an API for Your hestia panel and forced the sending of the login details of the account that was already on the server to his e-mail address?
It occurred to me now, checked it in the panel and had API access turned on (I was convinced I turned it off right at the beginning!). However, I don’t know how the attacker could have used it. Could have?

5

You can’t send email via the api.

6

Also mail passwords are stored encrypted only - I also don’t think that there is an easy way to decrypt them.

7

Yes, everything you write seems obvious, and yet the server sent a decrypted password to some e-mail, which I saw for the first time in the logs. He had never appeared in any correspondence before.

8

Only today there have been so many attempts to send an e-mail with this hacked password. Interestingly, someone who controls this spam network still hasn’t caught it, the scale has to be enormous.


Feb 06 00:05:42 auth: Info: passwd-file([email protected],178.219.179.29,<OmkcaE3Xkdqy27Md>): Password mismatch (given password: old_password)
Feb 06 00:05:48 auth: Info: passwd-file([email protected],178.219.179.29,<OmkcaE3Xkdqy27Md>): Password mismatch (given password: old_password)
Feb 06 00:19:20 auth: Info: passwd-file([email protected],36.96.212.110): Password mismatch (given password: old_password)
Feb 06 00:26:25 auth: Info: passwd-file([email protected],50.209.130.129): Password mismatch (given password: old_password)
Feb 06 00:29:14 auth: Info: passwd-file([email protected],23.105.171.85,<dS88vE3XS/4XaatV>): Password mismatch (given password: old_password)
Feb 06 00:40:20 auth: Info: passwd-file([email protected],27.116.255.152): Password mismatch (given password: old_password)
Feb 06 00:41:49 auth: Info: passwd-file([email protected],125.124.211.17): Password mismatch (given password: old_password)
Feb 06 00:50:09 auth: Info: passwd-file([email protected],185.135.226.224): Password mismatch (given password: old_password)
Feb 06 01:01:16 auth: Info: passwd-file([email protected],97.81.177.196): Password mismatch (given password: old_password)
Feb 06 01:08:47 auth: Info: passwd-file([email protected],175.170.139.216): Password mismatch (given password: old_password)
Feb 06 01:16:09 auth: Info: passwd-file([email protected],35.240.29.135): Password mismatch (given password: old_password)
Feb 06 01:17:51 auth: Info: passwd-file([email protected],83.143.52.76): Password mismatch (given password: old_password)
Feb 06 01:30:44 auth: Info: passwd-file([email protected],119.6.57.76): Password mismatch (given password: old_password)
Feb 06 01:33:41 auth: Info: passwd-file([email protected],178.12.202.234,<i+e8ok7XJ96yDMrq>): Password mismatch (given password: old_password)
Feb 06 01:54:50 auth: Info: passwd-file([email protected],115.231.254.38): Password mismatch (given password: old_password)
Feb 06 02:01:11 auth: Info: passwd-file([email protected],178.120.64.160,<TQYbBU/XvWGyeECg>): Password mismatch (given password: old_password)
Feb 06 02:01:17 auth: Info: passwd-file([email protected],178.120.64.160,<TQYbBU/XvWGyeECg>): Password mismatch (given password: old_password)
Feb 06 02:04:49 auth: Info: passwd-file([email protected],177.53.68.223): Password mismatch (given password: old_password)
Feb 06 02:11:32 auth: Info: passwd-file([email protected],219.147.24.134): Password mismatch (given password: old_password)
Feb 06 02:18:44 auth: Info: passwd-file([email protected],177.53.70.124): Password mismatch (given password: old_password)
Feb 06 02:22:43 auth: Info: passwd-file([email protected],159.89.207.44): Password mismatch (given password: old_password)
Feb 06 02:51:40 auth: Info: passwd-file([email protected],105.30.26.38): Password mismatch (given password: old_password)
Feb 06 02:51:48 auth: Info: passwd-file([email protected],114.104.178.80): Password mismatch (given password: old_password)
Feb 06 03:00:06 auth: Info: passwd-file([email protected],159.224.255.79): Password mismatch (given password: old_password)
Feb 06 03:11:56 auth: Info: passwd-file([email protected],80.52.205.66): Password mismatch (given password: old_password)
Feb 06 03:19:12 auth: Info: passwd-file([email protected],87.121.76.213): Password mismatch (given password: old_password)
Feb 06 03:20:44 auth: Info: passwd-file([email protected],162.252.203.114): Password mismatch (given password: old_password)
Feb 06 03:31:59 auth: Info: passwd-file([email protected],103.126.31.21): Password mismatch (given password: old_password)
Feb 06 03:35:42 auth: Info: passwd-file([email protected],143.137.191.17): Password mismatch (given password: old_password)
Feb 06 03:45:15 auth: Info: passwd-file([email protected],195.133.18.189,<SgBAeVDXjsbDhRK9>): Password mismatch (given password: old_password)
Feb 06 03:47:14 auth: Info: passwd-file([email protected],37.99.254.76): Password mismatch (given password: old_password)
Feb 06 03:49:55 auth: Info: passwd-file([email protected],110.78.164.132): Password mismatch (given password: old_password)
Feb 06 03:52:32 auth: Info: passwd-file([email protected],177.53.68.72): Password mismatch (given password: old_password)
Feb 06 03:53:16 auth: Info: passwd-file([email protected],46.42.14.48,<R9DslVDXFdsuKg4w>): Password mismatch (given password: old_password)
Feb 06 03:53:22 auth: Info: passwd-file([email protected],46.42.14.48,<R9DslVDXFdsuKg4w>): Password mismatch (given password: old_password)
Feb 06 04:09:17 auth: Info: passwd-file([email protected],64.74.157.34): Password mismatch (given password: old_password)
Feb 06 04:21:47 auth: Info: passwd-file([email protected],160.16.210.34): Password mismatch (given password: old_password)
Feb 06 04:32:33 auth: Info: passwd-file([email protected],201.166.154.228): Password mismatch (given password: old_password)
Feb 06 04:33:37 auth: Info: passwd-file([email protected],221.131.86.182): Password mismatch (given password: old_password)
Feb 06 04:44:01 auth: Info: passwd-file([email protected],112.220.22.162): Password mismatch (given password: old_password)
Feb 06 04:52:32 auth: Info: passwd-file([email protected],213.195.223.79): Password mismatch (given password: old_password)
Feb 06 04:55:59 auth: Info: passwd-file([email protected],177.53.68.240): Password mismatch (given password: old_password)
Feb 06 05:01:26 auth: Info: passwd-file([email protected],35.189.55.255): Password mismatch (given password: old_password)
Feb 06 05:07:46 auth: Info: passwd-file([email protected],123.125.218.66): Password mismatch (given password: old_password)
Feb 06 05:29:27 auth: Info: passwd-file([email protected],189.45.34.58): Password mismatch (given password: old_password)
Feb 06 05:30:34 auth: Info: passwd-file([email protected],50.193.96.241): Password mismatch (given password: old_password)
Feb 06 05:48:15 auth: Info: passwd-file([email protected],150.107.207.137,<OjkRMVLX+7mWa8+J>): Password mismatch (given password: old_password)
Feb 06 05:48:21 auth: Info: passwd-file([email protected],150.107.207.137,<OjkRMVLX+7mWa8+J>): Password mismatch (given password: old_password)
Feb 06 06:04:39 auth: Info: passwd-file([email protected],84.246.151.235): Password mismatch (given password: old_password)
Feb 06 06:10:22 auth: Info: passwd-file([email protected],84.246.151.175): Password mismatch (given password: old_password)
Feb 06 06:15:31 auth: Info: passwd-file([email protected],177.53.68.52): Password mismatch (given password: old_password)
Feb 06 06:36:19 auth: Info: passwd-file([email protected],103.52.252.48,<H3//3FLXQ5hnNPww>): Password mismatch (given password: old_password)
Feb 06 06:36:26 auth: Info: passwd-file([email protected],103.52.252.48,<H3//3FLXQ5hnNPww>): Password mismatch (given password: old_password)
Feb 06 06:37:44 auth: Info: passwd-file([email protected],222.80.39.17): Password mismatch (given password: old_password)
Feb 06 06:38:52 auth: Info: passwd-file([email protected],106.105.218.111): Password mismatch (given password: old_password)
Feb 06 06:51:30 auth: Info: passwd-file([email protected],41.57.99.171,<jq5TE1PXm+spOWOr>): Password mismatch (given password: old_password)
Feb 06 06:51:36 auth: Info: passwd-file([email protected],41.57.99.171,<jq5TE1PXm+spOWOr>): Password mismatch (given password: old_password)
Feb 06 07:03:12 auth: Info: passwd-file([email protected],159.192.96.135): Password mismatch (given password: old_password)
Feb 06 07:10:40 auth: Info: passwd-file([email protected],177.53.68.93): Password mismatch (given password: old_password)
Feb 06 07:10:55 auth: Info: passwd-file([email protected],175.106.11.94): Password mismatch (given password: old_password)
Feb 06 07:23:48 auth: Info: passwd-file([email protected],177.53.68.62): Password mismatch (given password: old_password)
Feb 06 07:24:27 auth: Info: passwd-file([email protected],36.96.212.42): Password mismatch (given password: old_password)
Feb 06 07:27:28 auth: Info: passwd-file([email protected],218.22.190.133): Password mismatch (given password: old_password)
Feb 06 07:40:45 auth: Info: passwd-file([email protected],35.201.3.228): Password mismatch (given password: old_password)
Feb 06 07:50:51 auth: Info: passwd-file([email protected],194.250.15.169): Password mismatch (given password: old_password)
Feb 06 07:53:03 auth: Info: passwd-file([email protected],192.210.236.154): Password mismatch (given password: old_password)
Feb 06 07:56:38 auth: Info: passwd-file([email protected],77.40.93.79): Password mismatch (given password: old_password)
Feb 06 08:01:10 auth: Info: passwd-file([email protected],185.30.177.234,<Bht/DFTX9JK5HrHq>): Password mismatch (given password: old_password)
Feb 06 08:01:15 auth: Info: passwd-file([email protected],185.30.177.36,<JGDHDFTXYqa5HrEk>): Password mismatch (given password: old_password)
Feb 06 08:11:29 auth: Info: passwd-file([email protected],116.6.137.23): Password mismatch (given password: old_password)
Feb 06 08:14:01 auth: Info: passwd-file([email protected],81.1.195.136,<vhJ1OlTXhddRAcOI>): Password mismatch (given password: old_password)
Feb 06 08:14:07 auth: Info: passwd-file([email protected],81.1.195.136,<vhJ1OlTXhddRAcOI>): Password mismatch (given password: old_password)
Feb 06 08:14:22 auth: Info: passwd-file([email protected],93.87.40.41): Password mismatch (given password: old_password)
Feb 06 08:14:49 auth: Info: passwd-file([email protected],116.48.143.191): Password mismatch (given password: old_password)
Feb 06 08:32:00 auth: Info: passwd-file([email protected],221.130.137.194): Password mismatch (given password: old_password)
Feb 06 08:47:04 auth: Info: passwd-file([email protected],59.62.108.68): Password mismatch (given password: old_password)
Feb 06 08:48:59 auth: Info: passwd-file([email protected],140.207.41.182): Password mismatch (given password: old_password)
Feb 06 08:56:18 auth: Info: passwd-file([email protected],24.234.142.118): Password mismatch (given password: old_password)
Feb 06 08:58:10 auth: Info: passwd-file([email protected],114.104.159.233): Password mismatch (given password: old_password)
Feb 06 09:30:39 auth: Info: passwd-file([email protected],177.53.70.133): Password mismatch (given password: old_password)
Feb 06 09:31:35 auth: Info: passwd-file([email protected],194.250.15.169): Password mismatch (given password: old_password)
Feb 06 09:36:37 auth: Info: passwd-file([email protected],188.162.43.197): Password mismatch (given password: old_password)
Feb 06 09:48:26 auth: Info: passwd-file([email protected],177.53.69.243): Password mismatch (given password: old_password)
Feb 06 09:56:18 auth: Info: passwd-file([email protected],65.155.104.106): Password mismatch (given password: old_password)
Feb 06 09:59:59 auth: Info: passwd-file([email protected],91.227.28.137): Password mismatch (given password: old_password)
Feb 06 10:10:30 auth: Info: passwd-file([email protected],114.104.178.156): Password mismatch (given password: old_password)
Feb 06 10:20:16 auth: Info: passwd-file([email protected],41.215.147.90): Password mismatch (given password: old_password)
Feb 06 10:23:58 auth: Info: passwd-file([email protected],185.30.177.228,<u2I3C1bX1Oy5HrHk>): Password mismatch (given password: old_password)
Feb 06 10:37:45 auth: Info: passwd-file([email protected],177.53.68.52): Password mismatch (given password: old_password)
Feb 06 10:40:35 auth: Info: passwd-file([email protected],177.53.70.115): Password mismatch (given password: old_password)
Feb 06 10:43:44 auth: Info: passwd-file([email protected],218.77.60.249): Password mismatch (given password: old_password)
Feb 06 10:48:41 auth: Info: passwd-file([email protected],222.75.12.78): Password mismatch (given password: old_password)
Feb 06 10:51:17 auth: Info: passwd-file([email protected],191.5.53.2): Password mismatch (given password: old_password)
Feb 06 11:26:45 auth: Info: passwd-file([email protected],74.40.14.103): Password mismatch (given password: old_password)
Feb 06 11:29:22 auth: Info: passwd-file([email protected],90.160.140.66): Password mismatch (given password: old_password)
Feb 06 11:36:22 auth: Info: passwd-file([email protected],222.80.39.13): Password mismatch (given password: old_password)
Feb 06 11:43:14 auth: Info: passwd-file([email protected],75.130.48.82): Password mismatch (given password: old_password)
Feb 06 11:48:31 auth: Info: passwd-file([email protected],113.160.215.202): Password mismatch (given password: old_password)
Feb 06 12:10:18 auth: Info: passwd-file([email protected],91.121.250.243): Password mismatch (given password: old_password)
Feb 06 12:13:03 auth: Info: passwd-file([email protected],176.39.35.189,<lAVOkVfXCXawJyO9>): Password mismatch (given password: old_password)
Feb 06 12:13:23 auth: Info: passwd-file([email protected],36.91.145.5,<zlVtklfXBuMkW5EF>): Password mismatch (given password: old_password)
Feb 06 12:13:30 auth: Info: passwd-file([email protected],36.91.145.5,<zlVtklfXBuMkW5EF>): Password mismatch (given password: old_password)
Feb 06 12:30:01 auth: Info: passwd-file([email protected],119.60.255.30): Password mismatch (given password: old_password)
Feb 06 12:39:07 auth: Info: passwd-file([email protected],91.121.210.56,<quJ97lfX+7FbedI4>): Password mismatch (given password: old_password)
Feb 06 12:39:13 auth: Info: passwd-file([email protected],91.121.210.56,<quJ97lfX+7FbedI4>): Password mismatch (given password: old_password)
Feb 06 12:56:10 auth: Info: passwd-file([email protected],201.24.1.117,<JWJzK1jXKKnJGAF1>): Password mismatch (given password: old_password)
Feb 06 12:56:16 auth: Info: passwd-file([email protected],201.24.1.117,<JWJzK1jXKKnJGAF1>): Password mismatch (given password: old_password)
Feb 06 13:29:31 auth: Info: passwd-file([email protected],177.53.68.56): Password mismatch (given password: old_password)
Feb 06 13:33:55 auth: Info: passwd-file([email protected],221.130.137.194): Password mismatch (given password: old_password)
Feb 06 13:43:54 auth: Info: passwd-file([email protected],190.246.243.56): Password mismatch (given password: old_password)
Feb 06 13:47:58 auth: Info: passwd-file([email protected],23.105.171.85,<MC7E5FjXk9IXaatV>): Password mismatch (given password: old_password)
Feb 06 13:51:22 auth: Info: passwd-file([email protected],180.76.133.105): Password mismatch (given password: old_password)
Feb 06 13:56:51 auth: Info: passwd-file([email protected],177.53.68.98): Password mismatch (given password: old_password)
Feb 06 14:03:55 auth: Info: passwd-file([email protected],84.21.109.149,<2HzEHVnXO9tUFW2V>): Password mismatch (given password: old_password)
Feb 06 14:04:01 auth: Info: passwd-file([email protected],84.21.109.149,<2HzEHVnXO9tUFW2V>): Password mismatch (given password: old_password)
Feb 06 14:05:20 auth: Info: passwd-file([email protected],185.30.177.52,<YuPjIlnXYK65HrE0>): Password mismatch (given password: old_password)
Feb 06 14:12:27 auth: Info: passwd-file([email protected],191.102.120.63): Password mismatch (given password: old_password)
Feb 06 14:14:34 auth: Info: passwd-file([email protected],202.169.38.82): Password mismatch (given password: old_password)
Feb 06 14:15:23 auth: Info: passwd-file([email protected],106.52.186.37): Password mismatch (given password: old_password)
Feb 06 14:17:39 auth: Info: passwd-file([email protected],115.84.92.33): Password mismatch (given password: old_password)
Feb 06 14:35:51 auth: Info: passwd-file([email protected],3.145.66.78,<crL9j1nXYd0DkUJO>): Password mismatch (given password: old_password)
Feb 06 14:38:00 auth: Info: passwd-file([email protected],218.15.154.165): Password mismatch (given password: old_password)
Feb 06 14:39:19 auth: Info: passwd-file([email protected],177.53.70.230): Password mismatch (given password: old_password)