Jump to content

Have I Been Hacked? How Can I Tell?


Recommended Posts

If this is in the wrong forum, please move it.

 

I will try to keep the preamble short, but some background is necessary.

 

A little while ago I discovered that one of my accounts was suddenly using up Bandwidth at three times the normal amount. I checked, using all the tools I know of, and the extra seems to be POP related. I put in a Help Desk tcket, and was told that the excess 'seemed to be consumed by email', but that I could not look at the logs, because they are server-wide. OK. So I did further research for most of today, watching every mailbox in the account. Here is what I discovered:

 

Given: bandwidth numbers in cPanel are updated about every 6.5 hours

 

Between approximately 10:30am and 5:00pm (EDT) the Bandwidth consumed was 90.6mb (14 mb/hr)

 

During that time ALL the POP mail that came in, including that marked as SPAM amounted to 3mb.

 

During that time the HTTP traffic (viewed and not viewed) was 17mb.

 

Since I am the only one with FTP access, I can say with some certainty that there was none. (If there was, by the way, how would I know? There doesn't seem to be a tool for monitoring FTP)

 

So: even if I triple the mail amount to allow for the POP mail that came in going back out to its recipients (even the SPAM, which did not go out and is normally Discarded) and a like amount for SMTP, the total should be

 

9mb (mail) + 17mb (http) = 26mb (4 mb/hr)

 

Where is the other 10 mb/hr going? How can I find out?

 

Is there anyone out there with any experience in this area?

 

Thank you in advance, anybody, for any insight. :lol:

Link to post
Share on other sites

I did talk to the Help Desk again, and they sent me a filtered log of all email through the account in the last few days. From it I learned a couple of things:

 

The log shows no origins or sizes, so in that regard it isn't much help for things like blacklisting. It also shows no recipient for mail identified as Spam and discarded, so it's no help in seeing who it's directed at. Basically, you have to capture all the mail and look at each piece to make any kind of determination. Lots of work, and spammers are crafty: I rarely got more than a couple from the same sender.

 

It did show the outgoing (smtp) side of things, which is something I couldn't see anywhere else. It wasn't of significant volume, and had no appreciable effect on the problem I think.

 

It also showed me that my research wasn't accurate, because many messages were dropped due to the mailbox being full. I hadn't set my box size large enough to accept the volume of mail that came in. So my numbers regarding mail I saw come in were too low.

 

In talking with the Help Desk, I determined that all mail that comes in, whether to real mailboxes or non-existent recipients or that identified as spam, all counts against bandwidth. To that extent, there's nothing I can do about it except shut down the domain. Not.

 

I've set SpamAssassin to a very restrictive filter, and directed all mail so identified to Discard. At least I won't take the hit for sending it back out to people.

 

In the end, I've decided that the account is just being spammed by some robot. The mail I collected and reviewed showed significant evidence of messages sent to a long list of non-existent names @domain.com. Sort of a try-every-combination-beginning-with-B thing. I've set the bandwidth limit high enough so the account won't get shut down while I'm not looking, and hope that it will stop when the robot gets to the end of the alphabet and moves on to someone else.

 

 

Thanks for asking. I hope this helps.

Link to post
Share on other sites

Jim,

 

You might already know this, but in your Default Address Maintenance, have you set all unrouted mail to go to :blackhole:? This will automatically discard anything that doesn't come to one of your legitimate addresses.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...