Unknown user in users table, very odd, possible security hole

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Unknown user in users table, very odd, possible security hole

Jorge Bastos

Howdy,

 

I have a verrryyyyy odd thing happening.

I have an user, unknown, that is in my users table, for a domain that isn’t mine, and never was.

This records keep’s having last_login fields updated, so someway he’s being able to login right?

 

 

Odd to see that the field after the datetime fields (that is the failed_login_count) is zero,

 

Is there any plugin or so to records the IP from which the logins are made?

Where to search for this possible breach?

 

Regards,


_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Unknown user in users table, very odd, possible security hole

Maarten

I would start by checking the ip adress that user logged in with.


On 02/08/2018 07:10 PM, Jorge Bastos wrote:

Howdy,

 

I have a verrryyyyy odd thing happening.

I have an user, unknown, that is in my users table, for a domain that isn’t mine, and never was.

This records keep’s having last_login fields updated, so someway he’s being able to login right?

 

 

Odd to see that the field after the datetime fields (that is the failed_login_count) is zero,

 

Is there any plugin or so to records the IP from which the logins are made?

Where to search for this possible breach?

 

Regards,



_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users


_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Unknown user in users table, very odd, possible security hole

Jorge Bastos

That’s what i would like to do, but where would i find that information?

In the users table isn’t there, or I’m not searching in the correct place.

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Maarten
Sent: quinta-feira, 8 de Fevereiro de 2018 18:16
To: Roundcube Users mailing list
Subject: Re: [RCU] Unknown user in users table, very odd, possible security hole

 

I would start by checking the ip adress that user logged in with.

 

On 02/08/2018 07:10 PM, Jorge Bastos wrote:

Howdy,

 

I have a verrryyyyy odd thing happening.

I have an user, unknown, that is in my users table, for a domain that isn’t mine, and never was.

This records keep’s having last_login fields updated, so someway he’s being able to login right?

 

 

Odd to see that the field after the datetime fields (that is the failed_login_count) is zero,

 

Is there any plugin or so to records the IP from which the logins are made?

Where to search for this possible breach?

 

Regards,




_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users

 


_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Unknown user in users table, very odd, possible security hole

Hannu Hirvonen
On 08.02.2018 22:06, Jorge Bastos wrote:

That’s what i would like to do, but where would i find that information?

In the users table isn’t there, or I’m not searching in the correct place.

Something like /var/log/roundcubemail/userlogins perhaps?

-- 
  Hannu Hirvonen ([hidden email], http://www.uwasa.fi/~hh/)
  Computer Centre, University of Vaasa, BOX 700, FI-65101 VAASA, Finland

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Unknown user in users table, very odd, possible security hole

Jorge Bastos

Oh,

 

Not in there but you made me remind about:

 

// Log successful/failed logins to <log_dir>/userlogins or to syslog

$config['log_logins'] = true;

 

Just enabled it, let’s see…

 

The 2nd part of this, is that I have users that have sieve rules with a redirect to strange emails, emails that are completely unknown to the account owner, there’s a hole somewere… and need to find it.

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Hannu Hirvonen
Sent: quinta-feira, 8 de Fevereiro de 2018 20:19
To: [hidden email]
Subject: Re: [RCU] Unknown user in users table, very odd, possible security hole

 

On 08.02.2018 22:06, Jorge Bastos wrote:

That’s what i would like to do, but where would i find that information?

In the users table isn’t there, or I’m not searching in the correct place.

Something like /var/log/roundcubemail/userlogins perhaps?

-- 
  Hannu Hirvonen ([hidden email], http://www.uwasa.fi/~hh/)
  Computer Centre, University of Vaasa, BOX 700, FI-65101 VAASA, Finland

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Unknown user in users table, very odd, possible security hole

Hannu Hirvonen
On 08.02.2018 22:34, Jorge Bastos wrote:

Not in there but you made me remind about:

// Log successful/failed logins to <log_dir>/userlogins or to syslog

That's why I said "something like ...", might have been a bit clearer, of course :-)

-- 
  Hannu Hirvonen ([hidden email], http://www.uwasa.fi/~hh/)
  Computer Centre, University of Vaasa, BOX 700, FI-65101 VAASA, Finland

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users