Back to Community Threads
3
User being elevated to domain admin as a result of a hack
Problem reported by Andrew Hiltz - 5/30/2019 at 5:25 AM
Resolved
Version 16.3.6989 running on 2012 R2.  We have an account that has been turned into a Domain Administrator twice over the last 3 days.  Both times spam emails end up in the inbox from "JP Momfort" even though any emails to this account are supposed to be forwarded to another account and then deleted.  In both cases I noticed that there was a "xxx-popLog.log" created and in both cases it contained the same message (not from the same ip address),  The error was, 

01:28:49 [54.167.30.32][60298714] Exception negotiating TLS session: System.ArgumentException: The path is not of a legal form.
   at System.IO.Path.LegacyNormalizePath(String path, Boolean fullCheck, Int32 maxPathLength, Boolean expandShortPaths)
   at System.IO.Path.GetFullPathInternal(String path)
   at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
   at MailService.TcpServerLib.Common.PooledTcpItem.ConvertToSSL(IPBindingPort setting, Log log, String sessionId)
   at MailService.TcpServerLib.Common.PooledTcpItem.ConvertToSSL(IPBindingPort setting)
   at MailService.TcpServerLib.POP.POPSession.#jdb()

After the first change 3 days ago I deleted the account and recreated it with a new password.  I also changed the real domain admin's pwd even though there is no outside access possible to it.  Thoughts?

Is it possible to flag an account so that it can never be turned into a domain admin?

4 Replies

Reply to Thread
0
Tony Scholz Replied
6/4/2019 at 7:45 AM
Employee Post
Hello Andrew, 

This would be logged in the Administrative logs. Here is what it looks like.

  • [2019.06.04] 07:32:26 [66.210.242.255]User admin@emilystest.com calling update user, user: test@emilystest.com

Currently there is not a way to stop an account from being turned into an Admin. The Events will not track this either. Currently SmarterMail 16 is at "End of Life" so if any functionality was to be added to cover this it would be in the current releases. 

If the email was marked as spam there is a setting to not forward spam that can be adjusted. This is in the system admin panel 
  • Manage -> domain.tld 

Thank you
Tony Scholz System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Kyle Kerst Replied
6/4/2019 at 2:11 PM
Employee Post
I believe your best bet might be upgrading to the latest first to see if this issue persists. If it does, open a support ticket so we can investigate further. There isn't enough detail here to track this down further (the hack itself), and we'd definitely need to get eyes on your configuration to find out where this is coming from. External users should not be able to set the Domain Administrator flag without authenticating beforehand. 
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Andrew Hiltz Replied
6/5/2019 at 10:57 AM
To Tony:
There is nothing in the Admin log to show when they were elevated.  Only the next morning when I set them back to a normal user.
That explains the spam in their inbox.  Thank you

To Kyle:
I have read many concerns from other users about the stability of the latest version.  I'm not sure I want to upgrade to it at this point.

I have changed the config of Smartermail to run as a .NET 4.6 app (this has to be done for TLS 1.2) and removed TLS 1.0 and 1.1 from the server.  There have been 4 of these hack attempts since that time, but none have resulted in the user becoming an admin.
0
Kyle Kerst Replied
6/5/2019 at 11:18 AM
Employee Post
Hello Andrew. This is understandable as there were some concerns right after release, but I can confirm these have been almost entirely resolved, with upgrade issues being a rare sight at this point. Once upgraded; if these issues persist we can get them in front of development right away due to the supported framework. 

Additionally, I know that some security related areas were addressed and resolved in recent updates, and these won't be available in older versions due to them being end of life unfortunately. 

Please let me know if you have any outstanding questions. Have a great rest of your week!
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Upgrading SmarterMail (Domain Conversion)SmarterMail > Installation and Configuration
Multiple Automatic SSL Certs for the Same HostnameSmarterMail > Troubleshooting
SmarterMail HIPAA/FINRA/SOX ComplianceGeneral Topics
Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Domain Shares and Protocol BehaviorSmarterMail > Desktop and Mobile Synchronization