Can someone running SM take a look at something for me.
Problem reported by Dave - Today at 4:00 PM
Submitted
Can you check your administrative logs for the text
Connecting to hub
Search from mid Jan to now.
I started seeing it on a bunch of my machines and when I opened a ticket and asked it went from no big deal to check for compromise. 

Having a bit of a freakout right now.
I see these
[2026.02.02] 07:09:53.551 [64.111.92.34] Connecting to hub
[2026.02.02] 07:13:23.263 [85.215.228.53] Connecting to hub
[2026.02.02] 07:48:25.208 [64.111.92.34] Connecting to hub
[2026.02.02] 07:51:43.779 [64.111.92.34] Connecting to hub
[2026.02.02] 07:54:41.280 [64.111.92.34] Connecting to hub
[2026.02.02] 07:55:38.888 [85.215.228.53] Connecting to hub
[2026.02.02] 07:58:54.654 [85.215.228.53] Connecting to hub
[2026.02.02] 08:00:36.780 [64.111.92.34] Connecting to hub
[2026.02.02] 08:02:15.251 [85.215.228.53] Connecting to hub
[2026.02.02] 08:09:03.221 [85.215.228.53] Connecting to hub
[2026.02.02] 08:12:15.502 [64.111.92.34] Connecting to hub
[2026.02.02] 08:13:10.337 [64.111.92.34] Connecting to hub
[2026.02.02] 08:20:31.582 [85.215.228.53] Connecting to hub
[2026.02.02] 08:21:25.993 [85.215.228.53] Connecting to hub
[2026.02.02] 08:24:52.751 [64.111.92.34] Connecting to hub
[2026.02.02] 08:33:46.142 [85.215.228.53] Connecting to hub
[2026.02.02] 08:57:56.375 [64.111.92.34] Connecting to hub

J. LaDow Replied
We have nothing of that in our logs - running build 9526 - went back 10 days.

What build are you on?

I would also say check for compromise, but first, I would block those IPs at your edge...




MailEnable survivor / convert --
Dave Replied
9540
Crap it's showing in all our machines.

Sébastien Riccio Replied
I also have plenty of these...

[2026.02.13] 23:41:32.558 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:32.731 [167.71.200.26] Connecting to hub
[2026.02.13] 23:41:33.412 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:37.000 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:37.342 [167.71.200.26] Connecting to hub
[2026.02.13] 23:41:37.720 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:42.538 [167.71.200.26] Connecting to hub
[2026.02.13] 23:41:43.885 [167.71.200.26] Connecting to hub
[2026.02.13] 23:41:44.093 [167.71.200.26] Connecting to hub
[2026.02.13] 23:41:45.591 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:46.013 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:46.962 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:47.210 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:47.277 [167.71.200.26] Connecting to hub
[2026.02.13] 23:41:47.476 [167.71.200.26] Connecting to hub
[2026.02.13] 23:41:48.134 [167.71.200.26] Connecting to hub
[2026.02.13] 23:41:48.203 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:54.922 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:55.980 [157.245.156.118] Connecting to hub
[2026.02.13] 23:41:59.242 [167.71.200.26] Connecting to hub
[2026.02.13] 23:42:05.970 [157.245.156.118] Connecting to hub
[2026.02.13] 23:42:15.026 [157.245.156.118] Connecting to hub
Sébastien Riccio System & Network Admin https://swisscenter.com
J. LaDow Replied
The IP 85.215.228.53 has another SmarterMail server at the other end according to Shodan. No idea whether or not it's malicious - but somewhere in the exploits there was information relating to the attackers making changes to SM's HA configurations somehow - 

The other IP doesn't show much.
MailEnable survivor / convert --
Sébastien Riccio Replied
It comes from the same IPs that triggered the "User @ failed force-reset-password" messages too.

Maybe they are only meaning attempts are made, but not that they succeed. I have no idea.
We don't even have a HA / hub configuration...

[2026.02.13] 12:46:36.879 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 12:46:37.604 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 12:46:42.273 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 12:46:45.606 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 12:46:49.169 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 12:46:51.087 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 12:46:52.167 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 12:46:52.323 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 12:46:56.063 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 12:46:58.470 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 12:46:58.515 [167.71.200.26] User @ failed force-reset-password
[2026.02.13] 22:49:03.082 [167.71.200.26] Connecting to hub
[2026.02.13] 22:49:38.674 [167.71.200.26] Connecting to hub
[2026.02.13] 22:49:48.847 [167.71.200.26] Connecting to hub
[2026.02.13] 22:49:52.357 [167.71.200.26] Connecting to hub
[2026.02.13] 22:49:58.574 [167.71.200.26] Connecting to hub
[2026.02.13] 22:49:58.833 [167.71.200.26] Connecting to hub
[2026.02.13] 22:50:09.054 [167.71.200.26] Connecting to hub
[2026.02.13] 22:50:10.353 [167.71.200.26] Connecting to hub
[2026.02.13] 22:50:13.327 [167.71.200.26] Connecting to hub
[2026.02.13] 22:50:17.694 [167.71.200.26] Connecting to hub
[2026.02.13] 22:50:20.217 [167.71.200.26] Connecting to hub
[2026.02.13] 22:50:37.493 [167.71.200.26] Connecting to hub
[2026.02.13] 22:50:37.808 [167.71.200.26] Connecting to hub
Sébastien Riccio System & Network Admin https://swisscenter.com
J. LaDow Replied
Our IDS firewalled the 167.71.200.26 IP a while ago when the password reset vulnerability was exposed.

The other three in this thread haven't been seen in our logs (yet).

[edit] - 157.245.156.118 last appears 3 days ago trying to reset passwords. 

[note to self] seems our IDS trigger needs to be updated to the new log entry.
MailEnable survivor / convert --
Sébastien Riccio Replied
I can find an ha-settings.json on our server though containing:

{
  "ClusterId": "some-uuid-string",
  "SharedSecret": "something",
  "TargetHubs": {}
}
No idea if it's normal on a non-clustered SmarterMail host.
Sébastien Riccio System & Network Admin https://swisscenter.com
Sébastien Riccio Replied
Those "Connecting to hub" seems attempts related to this exploit:
https://www.vulncheck.com/blog/smartermail-connecttohub-rce-cve-2026-24423

If I understand correctly, if you have no "Volume mounts" configured with some hostile command lines, you are not compromised.
Sébastien Riccio System & Network Admin https://swisscenter.com
J. LaDow Replied
Could be some benign logging like when we were seeing the incorrect log entry after the force-reset-password bug was fixed. The build that fixed it had a bad log entry - but the next version at least added the word "failed" -- 

I would still scan everything, check auto-runs, event-viewer logs, look for new files (this might take a couple scans because some of the attacks were leveraging "delays" between initial breakin/compromise and attack/pwn of the server)...
MailEnable survivor / convert --
Dave Replied
It does not matter if the server has the ha-settings.json file or not.
The logs had the same connecting to hub in them.
Not all of our servers had that ha-settings.json but they all had the connecting to hub.

Reply to Thread

Enter the verification text