Community Discussions and Support
Urgent: STMP credentials hacked...

Hi All,

Just realized that someone is sending spam through my mercury server. I blocked this mails for now (about 90 mails made it through) and it seems that they somehow are able top connect using a valid user + password combination. I do have session logs for such connections but I cannot see which user it is.

It starts with:

09:27:31.579: Connection from 96.57.204.226, Mon Sep 03 09:27:31 2012<lf>
09:27:31.579: << 220 mail.brlv.de ESMTP server ready.<cr><lf>
09:27:31.704: >> EHLO [100.0.0.200]<cr><lf>
09:27:31.704: << 250-mail.brlv.de Hello [100.0.0.200]; ESMTPs are:<cr><lf>250-TIME<cr><lf>
09:27:31.704: << 250-SIZE 30000000<cr><lf>
09:27:31.704: << 250-AUTH CRAM-MD5 LOGIN<cr><lf>
09:27:31.704: << 250-AUTH=LOGIN<cr><lf>
09:27:31.704: << 250 HELP<cr><lf>
09:27:32.985: >> AUTH CRAM-MD5<cr><lf>

After that, there are two lines with encoded strings which might be user and password?!

Then it continuous with:


09:27:32.110: << 235 Authentication successful.<cr><lf>
09:27:32.297: >> MAIL FROM:<Hi-61223@astrazeneca.com><cr><lf>
...

How can I find out which user has been compromised?

Thanks

Konrad

 

&lt;p&gt;Hi All,&lt;/p&gt;&lt;p&gt;Just realized that someone is sending spam through my mercury server. I blocked this mails for now (about 90 mails made it through) and it seems that they somehow are able top connect using a valid user + password combination. I do have session logs for such connections but I cannot see which user it is. &lt;/p&gt;&lt;p&gt;It starts with:&lt;/p&gt;&lt;p&gt;09:27:31.579: Connection from 96.57.204.226, Mon Sep 03 09:27:31 2012&amp;lt;lf&amp;gt; 09:27:31.579: &amp;lt;&amp;lt; 220 mail.brlv.de ESMTP server ready.&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt; 09:27:31.704: &amp;gt;&amp;gt; EHLO [100.0.0.200]&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt; 09:27:31.704: &amp;lt;&amp;lt; 250-mail.brlv.de Hello [100.0.0.200]; ESMTPs are:&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt;250-TIME&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt; 09:27:31.704: &amp;lt;&amp;lt; 250-SIZE 30000000&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt; 09:27:31.704: &amp;lt;&amp;lt; 250-AUTH CRAM-MD5 LOGIN&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt; 09:27:31.704: &amp;lt;&amp;lt; 250-AUTH=LOGIN&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt; 09:27:31.704: &amp;lt;&amp;lt; 250 HELP&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt; 09:27:32.985: &amp;gt;&amp;gt; AUTH CRAM-MD5&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt;&lt;/p&gt;&lt;p&gt;After that, there are two lines with encoded strings which might be user and password?! &lt;/p&gt;&lt;p&gt;Then it continuous with: &lt;/p&gt;&lt;p&gt; 09:27:32.110: &amp;lt;&amp;lt; 235 Authentication successful.&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt; 09:27:32.297: &amp;gt;&amp;gt; MAIL FROM:&amp;lt;Hi-61223@astrazeneca.com&amp;gt;&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt; ...&lt;/p&gt;&lt;p&gt;How can I find out which user has been compromised?&lt;/p&gt;&lt;p&gt;Thanks&lt;/p&gt;&lt;p&gt;Konrad &lt;/p&gt;&lt;p&gt;&amp;nbsp;&lt;/p&gt;

This was posted on the Mercury mailing list as well, and the replies there were that the encoded reply from the client contains the username, which can be decoded using for instance this webtool:

http://opinionatedgeek.com/dotnet/tools/base64decode/

/Rolf 

&lt;p&gt;This was posted on the Mercury mailing list as well, and the replies there were that the encoded reply from the client contains the username, which can be decoded using for instance this webtool:&lt;/p&gt;&lt;p&gt;&lt;a href=&quot;http://opinionatedgeek.com/dotnet/tools/base64decode/&quot;&gt;http://opinionatedgeek.com/dotnet/tools/base64decode/&lt;/a&gt;&lt;/p&gt;&lt;p&gt;&lt;a href=&quot;http://opinionatedgeek.com/dotnet/tools/base64decode/&quot;&gt;&lt;/a&gt;/Rolf&amp;nbsp;&lt;/p&gt;

Hi Rolf,

Yeah, I posted it in the list as well because this was a very critical issue for me...

Anyhow, the solution did not work because the user/password seems to be CRAM-MD5 encoded and so the base64 decoder does not really help...

Do you know how it is possible to determine which user has been compromised if something like this ever happens again?

Thanks

Konrad

&lt;p&gt;Hi Rolf,&lt;/p&gt;&lt;p&gt;Yeah, I posted it in the list as well because this was a very critical issue for me...&lt;/p&gt;&lt;p&gt;Anyhow, the solution did not work because the user/password seems to be CRAM-MD5 encoded and so the base64 decoder does not really help...&lt;/p&gt;&lt;p&gt;Do you know how it is possible to determine which user has been compromised if something like this ever happens again?&lt;/p&gt;&lt;p&gt;Thanks&lt;/p&gt;&lt;p&gt;Konrad &lt;/p&gt;

Found the problem:

The base64 string for this particular user was not decode-able using this website

http://opinionatedgeek.com/dotnet/tools/base64decode/

I tried it with a few other users and they worked.

I found another website which was able to decode the string ;-)

So, problem solved and thanks to all of you!

Konrad

Found the problem: The base64 string for this particular user was not decode-able using this website http://opinionatedgeek.com/dotnet/tools/base64decode/ I tried it with a few other users and they worked. I found another website which was able to decode the string ;-) So, problem solved and thanks to all of you! Konrad

For the benefit of others, can you post a link to the other decode website please?

For the benefit of others, can you post a link to the other decode website please?

[quote user="PaulW"]For the benefit of others, can you post a link to the other decode website please?[/quote]

You are right ;-)

 

http://www.motobit.com/util/base64-decoder-encoder.asp

 

(just select decode the data from a Base64 string (base64 decoding) and you are good to go)

 

Konrad

&lt;p&gt;[quote user=&quot;PaulW&quot;]For the benefit of others, can you post a link to the other decode website please?[/quote]&lt;/p&gt;&lt;p&gt;You are right ;-)&lt;/p&gt;&lt;p&gt;&amp;nbsp;&lt;/p&gt;&lt;p&gt;http://www.motobit.com/util/base64-decoder-encoder.asp&lt;/p&gt;&lt;p&gt;&amp;nbsp;&lt;/p&gt;&lt;p&gt;(just select &lt;b&gt;&lt;u&gt;d&lt;/u&gt;ecode&lt;/b&gt; the data &lt;b&gt;from a Base64&lt;/b&gt; string (base64 decoding) and you are good to go)&lt;/p&gt;&lt;p&gt;&amp;nbsp;&lt;/p&gt;&lt;p&gt;Konrad &lt;/p&gt;

I also want to encode username+password in my password file. I do not know how to use encode and decode in mail server, can I find a guide/instruction somewhere? how to encripty you email login info? thanks

I also want to encode username+password in my password file. I do not know how to use encode and decode in mail server, can I find a guide/instruction somewhere? how to encripty you email login info? thanks

i also want to encripty my smtp credentials. but I do not know how to use encode or decode here. can i find guide/instruction from any one? thank you

i also want to encripty my smtp credentials. but I do not know how to use encode or decode here. can i find guide/instruction from any one? thank you

Usernames and passwords that are base64 encoded when transmitted are not secured, anyone can decode it. The base64 encoding is done automatically by the connecting software.

/Rolf 

&lt;p&gt;Usernames and passwords that are base64 encoded when transmitted are not secured, anyone can decode it. The base64 encoding is done automatically by the connecting software.&lt;/p&gt;&lt;p&gt;/Rolf&amp;nbsp;&lt;/p&gt;
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Pending draft ... Click to resume editing
Discard draft