Skip to main content

Cpanel blacklisting itself

Comments

10 comments

  • cPRex Jurassic Moderator
    Hey there! The data you've provided in /var/log/maillog would be everything the system has related to that transaction. Usually there are 3-4 lines per attempt though that look something like this, the following being an example of the cPanel monitoring system checking the dovecot tool: Jan 11 02:10:49 host dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session= Jan 11 02:10:49 host dovecot: lmtp(3972928): Connect from local Jan 11 02:10:49 host dovecot: lmtp(3972928): Disconnect from local: Client has quit the connection (state=READY) Jan 11 02:10:49 host dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__xpkvdj8ehmsyfu9avfzk1zlfcds15cpyhnsutqu76qebin...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=3972936, secured, session= Jan 11 02:10:49 host dovecot: imap(__cpanel__service__auth__imap__xpkvdj8ehmsyfu9avfzk1zlfcds15cpyhnsutqu76qebinfpdbkphlihii_f8e2s)<3972936>: Logged out in=11, out=502, bytes=11/502
    Are there any other details in those additional lines that might help?
    0
  • jeffschips
    All I'm seeing are hundreds of entries like this: Jan 15 11:00:06 buckets dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=server-ip-address, lip=server-ip-address, TLS, session=
    0
  • jeffschips
    The login name is always valid-user@mangleddomainname (example: valid-user@mydomaincom (note: no "." between "mydomain" and "com")
    0
  • jeffschips
    This is what I'm seeing in the cPHulk history reports. A snippet thereof: inquiry@mangleddomain server-ip-address US mail dovecot 2021-01-15 10:00:04 2021-01-15 16:00:04 254 inquiry@mangleddomain server-ip-address US mail dovecot 2021-01-15 10:10:02 2021-01-15 16:10:02 264 inquiry@mangleddomain server-ip-address US mail dovecot 2021-01-15 10:20:02 2021-01-15 16:20:02 274 inquiry@mangleddomain server-ip-address US mail dovecot 2021-01-15 10:30:02 2021-01-15 16:30:02 284 inquiry@mangleddomain server-ip-address US mail dovecot 2021-01-15 10:40:02 2021-01-15 16:40:02 294 inquiry@mangleddomain server-ip-address US mail dovecot 2021-01-15 10:50:02 2021-01-15 16:50:02 304 inquiry@mangleddomain server-ip-address US mail dovecot 2021-01-15 11:00:04 2021-01-15 17:00:04 314
    0
  • jeffschips
    Maybe there is a user on my system as "inquiry@mangled-domain" somewhere? I can't find them.
    0
  • cPRex Jurassic Moderator
    Thanks for the additional details. I can't say that's something I've seen before in those logs with the domain name not being included properly there. Since the IP address is from the server itself it would make the most sense that a script is causing this on the user account, especially if this is happening exactly every 10 minutes as your timestamps indicate. If you suspend that user account, does the issue stop?
    0
  • jeffschips
    good suggestion - I'll try suspending the account and report back.
    0
  • jeffschips
    Is there a server-wide deep search I can use to scan the server for any file containing the string "mangleddomain" as it's a unique string and perhaps I can dig down into it?
    0
  • jeffschips
    SOLVED. Ran: find . -type f -exec grep -l "mangleddomain" {} + and discovered an entry in a config file for a web app with the mangled domain name. Thank you!
    0
  • cPRex Jurassic Moderator
    I was just going to say, "find" would be your best friend for that. I'm glad that helped you track it down!
    0

Please sign in to leave a comment.