Am Dienstag, 19. Februar 2019, 11:38:22 CET schrieb Odhiambo Washington via
Exim-users:
> How they end up hacking this account is something of a mystery now. This is
> the second time in as many months.
..."usually" they got user login credentials in any way.
from my experience, most typical is:
- the user uses a easy to brute force PW (exim provides different limits to
make this more difficult - if configured/set in the config, but additional
firewall rules or IPS may required too to block massive brute forcing on EXIM
by SMTP)
- the users PW got hacked on a client in any way or
- the same users PW got discovered/"hacked" on a foreign website or internet
service
- the (usually encrypted) "password storage" (i.e. a SQL database, LDAP,
shadow or whatever got "hacked" / copied and this PW was cracked). very
typical seems attacks on SQL databases behind any LAMP or similiar web
management tool or by other web applications which use the same database
installation - using insecure grants or security holes in the database or a
LAMP stack.
- PW sniffed from a non encrypted SMTP session with exim (if allowed in exim
and on client)
this just to point you into a few typical directions.
good luck,
niels.
--
---
Niels Dettenbach
Syndicat IT & Internet
http://www.syndicat.com
PGP:
https://syndicat.com/pub_key.asc
---
