Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now

Ostickets and mail server hacked

Hi there,

I come to you asking urgent help. We installed a new server with email and osticket.
The server doesn't have anything else.

The server, went down, when trying to send lots of emails.
I'm triyng to backtrace to see if the problem was osticket.

We have a cron job pooling the tickets via imap.
the mysql user only has access to osticket database.
the only file that has 777 is cron.php.

Yesterday it was sending tons of emails from an account that isn't even in osticket.
It exists only as a user account.

We changed the email password and disabled osticket.
It returned to normal.

Using windiff i checked for injected code. Nothing.

What could it be?? Could Osticket be the gateway??
What can we do to stop this from happening??

Please help us....

Comments

  • If the account that was sending the email isn't used in or for osTicket I'm not real sure why you would think that the two things are linked.  With out logs, and/or forensically searching your server myself it would be improper for me to really speculate on what happened.  I mean it's possible that there is an unknown security exploit for the version of osTicket that your running [which by the way you haven't given us] but it's also just as likely that another piece of installed software has an unpatched exploit in my opinion.
  • If your server is only for OsTicket, why does it have other user accounts?
    Which, I'm guessing didn't have a very secure password on publicly accessible ssh.
    If it doesn't have anything else, does that mean no firewall? What server OS is it?
  • Thats what i thought, but i have to prove it. I think it was a hacked email account, hat generated the server flooding. The osticket now is separate in a different server and working by pooling, so now that should be easy to prove in case this happens again.

    Thank you...

  • I'm not trying to sell anything here, but if you are looking for somebody to host the application for me, let me know. I know that servers get literally hammered all day long, and it takes quite some efforts to make it secure. If you are interested, send me an email to "support@justcorebusiness.com", or look at our website www.justcorebusiness.com.
  • Or try out the professional hosted version of osTicket at: https://www.supportsystem.com which is run by the authors of osTicket to help support its continued development.
Sign In or Register to comment.