About 2 years ago one of my co-located web servers was hacked. I tracked down the vulnerability to be in a php script I was running, an old version of PHPBB. The hacker basically used a hole to place a script on my server and execute it, which gave him full access to the server.
Luckily, he didn't do any damage, he simply installed a new website to be served off my box.
I was going through the logs one day, as I had seen my bandwidth usage skyrocket, and I found that he had installed a spoofed copy of another website on my server. Essentially it was an easy misspelling of an online store for watches, and I believe he was selling watches, collecting money, and obviously never sending anyone anything.
After I discovered this, I made a copy of everything he did - logs, scripts, the entire website, and archived it as well as sent it to my hosting provider.
I cleaned up his tracks, and began to secure my server.
As a result, I learned a lot about Linux security, and did several things:
- Tightened up my SSH security including running it on a non-standard port.
- chrooted apache
- Installed and configured apache mod_security (which is amazing)
- Started running some log monitoring/intrusion detection scripts
- Killed any processes running on ports which I was not actively using
As a result, I have not been hacked since, and whenever anyone tries, I am alerted.
Some of the easiest ways your server can be hacked, if it is a standard web/email server are through common script vulnerabilities. You also should take extra steps if you are running an email server to ensure you are not an open relay of any kind, the spammers will find you and suddenly all email coming from your server will get blacklisted.
Best Answer
I personally have witnessed live, in-transit, email interception. It was at a technical conference and the session was all about sniffing networks. The instructor just fired her sniffer up on the conference wireless network and within 15 minutes had several POP3/SMTP authentication pairs complete with the retrieved and sent messages. These were laptops out in the conference halls polling their email over unencrypted protocols. Then in the 15-30 minutes after the session the session attendees were doing the same thing once they downloaded the right tools.
I would be very, very surprised if the same kinds of things are not ever done on our Campus WLAN.
As a side note, the instructor also admitted to sniffing her cable-neighbor's traffic. For educational purposes only.
In terms of SMTP processing email is vastly more likely to be intercepted close to the end points. The interested parties are on either end of that conversation. In the middle where the SMTP traffic is flowing over the greater Internet, the interested party is much more likely to be a government than evil hackers.
That said, the biggest interception cases are not grabbing the SMTP transaction in flight, it's grabbing the POP3/IMAP/SMTP/WebMail login which ensures complete interception ability in perpetuity (or at least until the password is changed). This is attempted daily on my network via Phishing. Once credentials are leaked email can be read willy nilly, or more commonly used to send spam by way of our trusted email servers.
To answer your questions, though,
1: Yes, this is a real problem. The biggest exposure is over untrusted (or trusted but unencrypted) wireless networks. And governments.
2: They're out there, but I'd have to google and I'm lazy this Saturday morning. Intercepting actual SMTP transactions not at the endpoint is generally the purview of Governments and corporate security. Hackers generally target mailboxes not the transactions, as they're a much richer target.
3: Sniffing wireless networks for unencrypted email transactions is by FAR the easiest method. Think coffee-shop type setups. Lesser methods like suborning mail servers to grab messages are more theoretical than actual, though much more harmful when they do occur.
Stepping back one step to the topic of password reset emails, hackers who have compromised a mailbox can leverage such emails to compromise other sites. They compromise a gmail account and by looking at messages realize that this person does a lot of business with a certain ecommerce site known to store credit-card information. They go to that site and go through the forgotten-password process (since a LOT of sites now use the email address as the account-name these days) and get the password reset email. They reset the password, which starts the timer on when the account-owner will notice. Evil commences, especially if the ecommerce site is one that displays whole credit-card numbers in the profile.
The sad thing here is that it is entirely possible that the account-owner won't even see the inability to log in as a certain sign that evil has occurred. If they're not using a password-remembering program they could just chalk it up to creeping old age and just reset the password to one they know.