Back to Community Threads
Can someone running SM take a look at something for me.
Problem reported by Dave - Today at 4:00 PM
Submitted
D
Can you check your administrative logs for the text
Connecting to hub
Search from mid Jan to now.
I started seeing it on a bunch of my machines and when I opened a ticket and asked it went from no big deal to check for compromise. 

Having a bit of a freakout right now.
I see these
[2026.02.02] 07:09:53.551 [64.111.92.34] Connecting to hub
[2026.02.02] 07:13:23.263 [85.215.228.53] Connecting to hub
[2026.02.02] 07:48:25.208 [64.111.92.34] Connecting to hub
[2026.02.02] 07:51:43.779 [64.111.92.34] Connecting to hub
[2026.02.02] 07:54:41.280 [64.111.92.34] Connecting to hub
[2026.02.02] 07:55:38.888 [85.215.228.53] Connecting to hub
[2026.02.02] 07:58:54.654 [85.215.228.53] Connecting to hub
[2026.02.02] 08:00:36.780 [64.111.92.34] Connecting to hub
[2026.02.02] 08:02:15.251 [85.215.228.53] Connecting to hub
[2026.02.02] 08:09:03.221 [85.215.228.53] Connecting to hub
[2026.02.02] 08:12:15.502 [64.111.92.34] Connecting to hub
[2026.02.02] 08:13:10.337 [64.111.92.34] Connecting to hub
[2026.02.02] 08:20:31.582 [85.215.228.53] Connecting to hub
[2026.02.02] 08:21:25.993 [85.215.228.53] Connecting to hub
[2026.02.02] 08:24:52.751 [64.111.92.34] Connecting to hub
[2026.02.02] 08:33:46.142 [85.215.228.53] Connecting to hub
[2026.02.02] 08:57:56.375 [64.111.92.34] Connecting to hub
J
J. LaDow Replied
Today at 4:04 PM
We have nothing of that in our logs - running build 9526 - went back 10 days.

What build are you on?

I would also say check for compromise, but first, I would block those IPs at your edge...
MailEnable survivor / convert --
D
Dave Replied
Today at 4:05 PM
9540
Crap it's showing in all our machines.
Sébastien Riccio Replied
Today at 4:12 PM
I also have plenty of these...

[2026.02.13] 23:41:32.558 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:32.731 [167.71.200.26] Connecting to hub
[2026.02.13] 23:41:33.412 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:37.000 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:37.342 [167.71.200.26] Connecting to hub
[2026.02.13] 23:41:37.720 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:42.538 [167.71.200.26] Connecting to hub
[2026.02.13] 23:41:43.885 [167.71.200.26] Connecting to hub
[2026.02.13] 23:41:44.093 [167.71.200.26] Connecting to hub
[2026.02.13] 23:41:45.591 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:46.013 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:46.962 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:47.210 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:47.277 [167.71.200.26] Connecting to hub
[2026.02.13] 23:41:47.476 [167.71.200.26] Connecting to hub
[2026.02.13] 23:41:48.134 [167.71.200.26] Connecting to hub
[2026.02.13] 23:41:48.203 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:54.922 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:55.980 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:59.242 [167.71.200.26] Connecting to hub
[2026.02.13] 23:42:05.970 [157.245.156.118] Connecting to hub
[2026.02.13] 23:42:15.026 [157.245.156.118] Connecting to hub
Sébastien Riccio System & Network Admin https://swisscenter.com
J
J. LaDow Replied
Today at 4:16 PM
The IP 85.215.228.53 has another SmarterMail server at the other end according to Shodan. No idea whether or not it's malicious - but somewhere in the exploits there was information relating to the attackers making changes to SM's HA configurations somehow - 

The other IP doesn't show much.
MailEnable survivor / convert --
Sébastien Riccio Replied
Today at 4:17 PM
It comes from the same IPs that triggered the "User @ failed force-reset-password" messages too.

Maybe they are only meaning attempts are made, but not that they succeed. I have no idea.
We don't even have a HA / hub configuration...

[2026.02.13] 12:46:36.879 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 12:46:37.604 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 12:46:42.273 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 12:46:45.606 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 12:46:49.169 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 12:46:51.087 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 12:46:52.167 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 12:46:52.323 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 12:46:56.063 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 12:46:58.470 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 12:46:58.515 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 22:49:03.082 [167.71.200.26] Connecting to hub
[2026.02.13] 22:49:38.674 [167.71.200.26] Connecting to hub
[2026.02.13] 22:49:48.847 [167.71.200.26] Connecting to hub
[2026.02.13] 22:49:52.357 [167.71.200.26] Connecting to hub
[2026.02.13] 22:49:58.574 [167.71.200.26] Connecting to hub
[2026.02.13] 22:49:58.833 [167.71.200.26] Connecting to hub
[2026.02.13] 22:50:09.054 [167.71.200.26] Connecting to hub
[2026.02.13] 22:50:10.353 [167.71.200.26] Connecting to hub
[2026.02.13] 22:50:13.327 [167.71.200.26] Connecting to hub
[2026.02.13] 22:50:17.694 [167.71.200.26] Connecting to hub
[2026.02.13] 22:50:20.217 [167.71.200.26] Connecting to hub
[2026.02.13] 22:50:37.493 [167.71.200.26] Connecting to hub
[2026.02.13] 22:50:37.808 [167.71.200.26] Connecting to hub
Sébastien Riccio System & Network Admin https://swisscenter.com
J
J. LaDow Replied
Today at 4:20 PM
Our IDS firewalled the 167.71.200.26 IP a while ago when the password reset vulnerability was exposed.

The other three in this thread haven't been seen in our logs (yet).

[edit] - 157.245.156.118 last appears 3 days ago trying to reset passwords. 

[note to self] seems our IDS trigger needs to be updated to the new log entry.
MailEnable survivor / convert --
Sébastien Riccio Replied
Today at 4:21 PM
I can find an ha-settings.json on our server though containing:

{
  "ClusterId": "some-uuid-string",
  "SharedSecret": "something",
  "TargetHubs": {}
}
No idea if it's normal on a non-clustered SmarterMail host.
Sébastien Riccio System & Network Admin https://swisscenter.com
Sébastien Riccio Replied
Today at 4:25 PM
Those "Connecting to hub" seems attempts related to this exploit:
https://www.vulncheck.com/blog/smartermail-connecttohub-rce-cve-2026-24423

If I understand correctly, if you have no "Volume mounts" configured with some hostile command lines, you are not compromised.
Sébastien Riccio System & Network Admin https://swisscenter.com
J
J. LaDow Replied
Today at 4:27 PM
Could be some benign logging like when we were seeing the incorrect log entry after the force-reset-password bug was fixed. The build that fixed it had a bad log entry - but the next version at least added the word "failed" -- 

I would still scan everything, check auto-runs, event-viewer logs, look for new files (this might take a couple scans because some of the attacks were leveraging "delays" between initial breakin/compromise and attack/pwn of the server)...
MailEnable survivor / convert --
D
Dave Replied
Today at 5:01 PM
It does not matter if the server has the ha-settings.json file or not.
The logs had the same connecting to hub in them.
Not all of our servers had that ha-settings.json but they all had the connecting to hub.
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Set up SmarterMail as an IIS Site in IIS 8SmarterMail > Server Configuration and Management
Migrating SmarterMail to LinuxSmarterMail > Server Configuration and Management
Set up SmarterMail as an IIS Site in IIS 10SmarterMail > Server Configuration and Management
Upgrading SmarterMail (Domain Conversion)SmarterMail > Installation and Configuration
Email Migration Options to SmarterMail from an External MTA.SmarterMail > Installation and Configuration