User being elevated to domain admin as a result of a hack
Problem reported by Andrew Hiltz - May 30 at 5:25 AM
Resolved
Version 16.3.6989 running on 2012 R2.  We have an account that has been turned into a Domain Administrator twice over the last 3 days.  Both times spam emails end up in the inbox from "JP Momfort" even though any emails to this account are supposed to be forwarded to another account and then deleted.  In both cases I noticed that there was a "xxx-popLog.log" created and in both cases it contained the same message (not from the same ip address),  The error was, 

01:28:49 [54.167.30.32][60298714] Exception negotiating TLS session: System.ArgumentException: The path is not of a legal form.
   at System.IO.Path.LegacyNormalizePath(String path, Boolean fullCheck, Int32 maxPathLength, Boolean expandShortPaths)
   at System.IO.Path.GetFullPathInternal(String path)
   at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
   at MailService.TcpServerLib.Common.PooledTcpItem.ConvertToSSL(IPBindingPort setting, Log log, String sessionId)
   at MailService.TcpServerLib.Common.PooledTcpItem.ConvertToSSL(IPBindingPort setting)
   at MailService.TcpServerLib.POP.POPSession.#jdb()

After the first change 3 days ago I deleted the account and recreated it with a new password.  I also changed the real domain admin's pwd even though there is no outside access possible to it.  Thoughts?

Is it possible to flag an account so that it can never be turned into a domain admin?

4 Replies

Reply to Thread
0
Tony Scholz Replied
Employee Post
Hello Andrew, 

This would be logged in the Administrative logs. Here is what it looks like.

  • [2019.06.04] 07:32:26 [66.210.242.255]User admin@emilystest.com calling update user, user: test@emilystest.com

Currently there is not a way to stop an account from being turned into an Admin. The Events will not track this either. Currently SmarterMail 16 is at "End of Life" so if any functionality was to be added to cover this it would be in the current releases. 

If the email was marked as spam there is a setting to not forward spam that can be adjusted. This is in the system admin panel 
  • Manage -> domain.tld 

Thank you
Tony Scholz
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Kyle Kerst Replied
Employee Post
I believe your best bet might be upgrading to the latest first to see if this issue persists. If it does, open a support ticket so we can investigate further. There isn't enough detail here to track this down further (the hack itself), and we'd definitely need to get eyes on your configuration to find out where this is coming from. External users should not be able to set the Domain Administrator flag without authenticating beforehand. 
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Andrew Hiltz Replied
To Tony:
There is nothing in the Admin log to show when they were elevated.  Only the next morning when I set them back to a normal user.
That explains the spam in their inbox.  Thank you

To Kyle:
I have read many concerns from other users about the stability of the latest version.  I'm not sure I want to upgrade to it at this point.

I have changed the config of Smartermail to run as a .NET 4.6 app (this has to be done for TLS 1.2) and removed TLS 1.0 and 1.1 from the server.  There have been 4 of these hack attempts since that time, but none have resulted in the user becoming an admin.
0
Kyle Kerst Replied
Employee Post
Hello Andrew. This is understandable as there were some concerns right after release, but I can confirm these have been almost entirely resolved, with upgrade issues being a rare sight at this point. Once upgraded; if these issues persist we can get them in front of development right away due to the supported framework. 

Additionally, I know that some security related areas were addressed and resolved in recent updates, and these won't be available in older versions due to them being end of life unfortunately. 

Please let me know if you have any outstanding questions. Have a great rest of your week!
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread