Summary of Issue: Email \ Security Issue
Incident Status: Resolved
Incident Priority: Priority 1 (Critical)
Impacted Audience: All Staff
Impact of Issue: Affects Organization
Event Start: 03/7/2019 @ 13.00 BST
Incident Last Updated:17-07-2019 @ 13:18 BST
Estimated Event End: 26-07-2019 @ 13:00 BST
Affected Systems: Email Systems
This issue has seemed to of resolved itself. We are still unsure why this happened and what has caused this issue. Our email system has been fine for over a week and we are satisfied that this issue will not cause our email system to go down again.
However, please raise a ticket if you encounter any additional issues with our email services.
Sorry for the inconvenience this issue has caused.
Our host has said that this issue is possibly being caused by a malicious script on the server, which has caused this to happen. However, we have not found evidence of such a script and we are continuing to investigate this issue.
Our host has restored a backup file, which has bought the email system back online again. However, at this time, Email services should be treated as “at risk”, until further notice.
Sorry for the inconvenience, this ongoing issue is causing.
We are currently investigating a major problem with our email system. Last Sunday, someone gained unauthorized access to our server and deleted all mailboxes from the server. Our Host ran scans on the system, to check for spyware; but that came back clear. Our Host was able to restore the server from a backup and I had changed the Server Root Password and other system passwords.
However, the password change had little effect (even though we used a strong password) and once again the server has been attacked! Once again, our email system has been compromised again. As far as we know, there has not been a data breach, as the hackers simply have removed everyone’s mailboxes from the server. Each mailbox is password protected, so who ever it was that has broken into the server; would not of had access to individual email inboxes. However, we know that the unauthorized access to our server was performed using SSH. (Secure Socket Layer, which is similar to the DOS interface on Windows Operating Systems). Even though we have changed the Root Password, (which is the server master password) it seems that who ever has attacked the server has managed to somehow break into the server. We have checked the userlist, by running the following command.
cut -d: -f1 /etc/passwd
However, this did not throw up anything unusual and we at this moment in time, we have no idea who is accessing the sever and how they are getting into the system.
Our host is now aware of the problem and we hope to have this issue resolved as soon as we can. However, as this has happened for the 2nd Sunday in a row, IT Services have decided to keep this status report open, so that if there is a repeat of this issue, we do not need to post a duplicate status report.
This issue means that our email system is currently at risk for all users and that means that our email system is currently at risk of further outages.
We’ll keep you posted on this issue.
Sorry for the inconvenience this causes.