Mysterious login maillog message
I have been alerted of spam being sent from one of my servers and I looked in the /var/log/maillog and saw the following strange messages:
dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__mvncp8iylhljil6v7dkmkenkzcecde1gflj456nsipiwqf...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
also
dovecot: imap-login: Disconnected (no auth attempts): rip=198.20.99.130, lip=68.233.34.83, TLS: Disconnected
I also saw many, many messages like:
dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=, method=PLAIN, rip=202.107.225.31, lip=68.233.34.86
The following message scares me the most because looks like someone logged in:
dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__mvncp8iylhljil6v7dkmkenkzcecde1gflj456nsipiwqf...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
HELP!
-
I'm sure someone will correct me if I'm wrong, but iirc the cpanel__service__auth__imap entry is cPanel monitoring the imap service to ensure it is working. The pop3-login example is an attempt to find accounts to login to / brute force, unrelated to the above. 0 -
Thanks for taking the time to answer my question. 0 -
Hello :) Yes, those are simply access attempts by Chkservd to ensure the service is running. If you want to determine the source of SPAM, I recommend checking the following log file: /var/log/exim_mainlog
You can search this log file using the "exigrep" utility in order to search for specific email addresses or message subjects. It should help you to determine which account the SPAM is originating form. Thank you.0 -
I looked in [QUOTE]/var/log/exim_manlog
and I saw some random email messages that were received from a variety of senders. I also saw a lot, and I mean a lot of:[QUOTE]2013-09-03 01:55:52 SMTP connection from [202.107.225.31]:56748 lost 2013-09-03 01:55:54 SMTP connection from [202.107.225.31]:57017 (TCP/IP connection count = 1) 2013-09-03 01:55:54 no host name found for IP address 202.107.225.31 2013-09-03 01:55:55 SMTP connection from [202.107.225.31]:57017 lost 2013-09-03 01:55:57 SMTP connection from [202.107.225.31]:57296 (TCP/IP connection count = 1)
I also saw a few [QUOTE]2013-09-03 13:21:45 H=( [198.24.175.151]:1775 F= rejected RCPT : Please turn on SMTP Authentication in your mail client. () [198.24.175.151]:1775 is not permitted to relay through this server without authentication. 2013-09-03 13:21:45 H=() [198.24.175.151]:1775 Warning: "Detected session with all messages failed" 2013-09-03 13:21:45 H=() [198.24.175.151]:1775 Warning: "Increment slow_fail_block Ratelimit - () [198.24.175.151]:1775 because of all messages failed" 2013-09-03 13:21:45 SMTP connection from () [198.24.175.151]:1775 closed by QUIT
The last message worried me but I am not sure it it is real or not.0 -
You should search this log for the email address that reported your server as sending out SPAM. Simply viewing the full log is going to output a large amount of data. Thank you. 0
Please sign in to leave a comment.
Comments
5 comments