Author Topic: how to immediately disconnect certain missused account ?  (Read 2491 times)

Offline Loriel

  • Newbie
  • *
  • Posts: 2
how to immediately disconnect certain missused account ?
« on: October 19, 2018, 11:25:55 AM »
Hello All,
 we are facing a phishing attack at our site. A lot of users was hijacked. The attacker sends thousands of themaleficent mails via our Roundcube server.
So, I can realise which user account it was (roundcube DB, table identities -> user_id -> table users -> username).
But, even if I changed the user password the attacker was still sending via roundcube. Even if I removed a session_id from  session table it was still sending it's damned spams.
The only thing that finally stopped the evil session was restart of the server  :(

Could you please advice the better way to terminate the evil session, or maybe there exist some more elegant way to kick-off the attacker?

Regards
Loriel

Offline alec

  • Hero Member
  • *****
  • Posts: 1,363
Re: how to immediately disconnect certain missused account ?
« Reply #1 on: October 20, 2018, 02:15:26 AM »
Maybe you should just restart the smtp server.

Offline Loriel

  • Newbie
  • *
  • Posts: 2
Re: how to immediately disconnect certain missused account ?
« Reply #2 on: October 21, 2018, 04:41:49 AM »
It does not help  :( .
We are using delivery scheme postfix at localhost (roundcube server itself),without autentication -> postfix at relayhost. Relayhost allows to relay from the roundcube server.
May be I should set up authorized SMTP at roundcube server?