Possible server breach?

[Lewiscpullan]

Hello everyone,

 

Looking for advice on what to do! I have limited knowledge on servers and such.

 

So recently my mum was getting hundreds of emails from post master and mail delivery services saying that certain emails couldn't be delivered and we assumed this was spam. We increased the spam protection on the ionos email hosting and they seemed to stop coming. The next we got the following message from ionos...

 

I rang them up today and they said they can't offer any help as they just manage the hosting but they could give us more details as to what's going on, this is what they said...

 

Has anyone got any idea what could be happening here? Could someone be hosting an email address from our server? 

 

Additional information:

Ionos host our email and web server. As far as I'm aware they are separate servers (email goes through imap.ionos.co.uk)

 

The first 6 digits of the IP address match the one of our web server but not the last 4 and I can't seem to find a separate server within windows server manager.

 

Any help would be greatly appreciated!

 

Many thanks,

Lewis  

[Radium_Angel]

27 minutes ago, Lewiscpullan said:

email and web server

Do you have a full time system admin? If not, it's probably been compromised already. email servers are always in high demand to act as proxys for spam.

[PorkishPig]

3 hours ago, Lewiscpullan said:

So recently my mum was getting hundreds of emails from post master and mail delivery services saying that certain emails couldn't be delivered and we assumed this was spam. We increased the spam protection on the ionos email hosting and they seemed to stop coming. The next we got the following message from ionos..

I would bet that the credentials of the email account have been compromised. The company receiving the malicious emails submitted an abuse report to IONOS and blocked the email address on their mail server, resulting in the delivery failure every time a malicious email is sent to that particular company's domain.

3 hours ago, Lewiscpullan said:

I rang them up today and they said they can't offer any help as they just manage the hosting but they could give us more details as to what's going on, this is what they said...

It looks like they provided you with a copy of the abuse report. The IP mentioned is likely associated with IONOS's mail servers, this is why it shares a similar IP range to your web server.

[Lewiscpullan]

20 minutes ago, PorkishPig said:

I would bet that there that the credentials of the email account have been compromised, and emails have silently been sent via POP3/IMAP. The company receiving the malicious emails submitted an abuse report to IONOS and blocked the email address on their webserver, resulting in the delivery failure every time a malicious email is sent to that particular company's domain.

It looks like they provided you with a copy of abuse report. The IP mentioned is likely associated with IONOS's email servers, this is why it shares a similar IP range to your web server.

 

On a side note, you may want to censor your mom's email address and ticket numbers. This is a public forum after all.

Thank you! We have changed the password on the account and we haven't had anymore recently so hopefully that has done the trick. It just seemed odd the way they informed us as they are hosting our emails and it would seem like they should just tell us that it was the email and not point towards our servers? Maybe I just took it wrong. We will work through all the other email accounts and change those passwords too. Do you think this will be enough or do you believe we should take any further action?

[Lewiscpullan]

32 minutes ago, Radium_Angel said:

Do you have a full time system admin? If not, it's probably been compromised already. email servers are always in high demand to act as proxys for spam.

We have a guy who setup the website and server but I don't think he regularly checks the server? So do you think this is to do with the email server rather than main server as the emails should be managed by ionos.

[Radium_Angel]

4 minutes ago, Lewiscpullan said:

We have a guy who setup the website and server but I don't think he regularly checks the server? So do you think this is to do with the email server rather than main server as the emails should be managed by ionos.

Personally, I'd take *both* servers offline until you can find someone proper to do a security check and harden the system.

[PorkishPig]

2 hours ago, Lewiscpullan said:

it would seem like they should just tell us that it was the email and not point towards our servers?

Since your mail server is hosted by IONOS, they simply informed you that an email address associated with your account was sending malicious emails. The reason an IP address was brought up at all was because they were providing the full abuse report they received, this is why they could not provide any additional information.

2 hours ago, Lewiscpullan said:

We will work through all the other email accounts and change those passwords too. Do you think this will be enough or do you believe we should take any further action?

If your mom reuses her passwords for any other IONOS services, make sure that they are changed. Based on the screenshots you provided, I doubt your web server was compromised.

[Lewiscpullan]

1 hour ago, Radium_Angel said:

Personally, I'd take *both* servers offline until you can find someone proper to do a security check and harden the system.

I was thinking about doing this, all seems to be fine at the moment but I think I will look into making sure the website and server is fully secure and start to frequently change passwords. Been a bit of a wake up call to learn more about cyber security...

[Lewiscpullan]

Cleared

[Lewiscpullan]

1 hour ago, PorkishPig said:

Since your mail server is hosted by IONOS, they simply informed you that an email address associated with your account was sending malicious emails. The reason an IP address was brought up at all was because they were providing the full abuse report they received, this is why they could not provide any additional information.

If your mom reuses her passwords for any other IONOS services, make sure that they are changed. Based on the screenshots you provided, I doubt your web server was comprised.

We don't reuse the passwords, we try to create fairly random and hard to guess passwords. Thank you so much for your help!

[Lewiscpullan]

28 minutes ago, zhnu said:

Start here it really helps for checking.
https://mxtoolbox.com/emailhealth/safeopportunities.co.uk/

 

I don't see alot wrong you shouldn't need DMARC those should be handled by your provider, mx00.1and1.co.uk, mx01.1and1.co.uk  seem to belong to IONOS, so no problem there, the spf value should be filled:
https://www.ionos.com/help/domains/configuring-mail-servers-and-other-related-records/using-an-spf-record-to-prevent-spam/
 

Thanks a lot! Just out of interest how did you know the Domain, I removed the domain info from the post

[Lewiscpullan]

29 minutes ago, zhnu said:

Because I read the log you posted. You should clear that it contains personal info. Also the website in question you should see if you can update from Microsoft-IIS/8.5, and hide the server header (this makes the server easier to attack because it tells people what CVE they should look for):

https://improveandrepeat.com/2020/01/how-to-remove-the-server-header-in-iis-8-5/
 

Ahh thanks everyone for your help, I will remove this thread now and get in touch with you guys if I need more help thanks so much!