Get real IP for attack on IMAP?

speckados

• April 28, 2016 15:17

I see some failed auth on IMAP
cat /var/log/maillog|grep shipping Apr 28 16:35:13 hq dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user shipping Apr 28 17:43:44 hq dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user shipping
Near the time, there not any entry on log for determining IP. Only on /var/log/exim_mainlog get some
2016-04-28 16:35:15 dovecot_login authenticator failed for localhost (HOSTNAME) [127.0.0.1]:58132: 535 Incorrect authentication data (set_id=shipping) 2016-04-28 17:43:46 dovecot_login authenticator failed for localhost (HOSTNAME) [127.0.0.1]:58648: 535 Incorrect authentication data (set_id=shipping)
Apreciate help.

• 

  cPanelMichael

  • April 29, 2016 16:54

  Hello :) The connection can come from localhost (127.0.0.1) in cases where the connection is made from a script that's uploaded to an account, or through Webmail. Do you have cPHulk brute force protection enabled? Do you notice any corresponding entries in /usr/local/cpanel/logs/access_log or in the Apache domain access logs that correspond with those login attempts? Thank you.

  0
• 

  speckados

  • April 30, 2016 18:52

  Hi. I don't see any relevant for access on same time or with same user on /usr/local/cpanel/logs/access_log I see too many and diferents users on system.
  2016-04-30 20:04:24 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:39365: 535 Incorrect authentication data (set_id=billing) 2016-04-30 20:17:30 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:49296: 535 Incorrect authentication data (set_id=library@mydomain.es) 2016-04-30 20:23:55 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:53956: 535 Incorrect authentication data (set_id=anaferreras@recuperaciones-mydomain.com) 2016-04-30 20:24:02 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:53984: 535 Incorrect authentication data (set_id=anaferreras@recuperaciones-mydomain.com) 2016-04-30 20:24:13 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:54041: 535 Incorrect authentication data (set_id=anaferreras@recuperaciones-mydomain.com) 2016-04-30 20:24:31 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:54202: 535 Incorrect authentication data (set_id=AB\023) 2016-04-30 20:24:38 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:54340: 535 Incorrect authentication data (set_id=anaferreras@recuperaciones-mydomain.com) 2016-04-30 20:24:42 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:54256: 535 Incorrect authentication data (set_id=AB\023) 2016-04-30 20:24:45 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:54383: 535 Incorrect authentication data (set_id=anaferreras@recuperaciones-mydomain.com) 2016-04-30 20:26:10 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:55394: 535 Incorrect authentication data (set_id=postmaster@mydomain.net) 2016-04-30 20:26:36 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:54428: 535 Incorrect authentication data 2016-04-30 20:31:27 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:60035: 535 Incorrect authentication data (set_id=katarina) 2016-04-30 20:31:34 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:60064: 535 Incorrect authentication data (set_id=katarina) 2016-04-30 20:31:45 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:60173: 535 Incorrect authentication data (set_id=katarina) 2016-04-30 20:32:02 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:60351: 535 Incorrect authentication data 2016-04-30 20:32:13 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:60426: 535 Incorrect authentication data 2016-04-30 20:32:21 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:60761: 535 Incorrect authentication data (set_id=katarina) 2016-04-30 20:32:24 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:60525: 535 Incorrect authentication data 2016-04-30 20:32:28 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:60805: 535 Incorrect authentication data (set_id=katarina) 2016-04-30 20:34:26 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:32841: 535 Incorrect authentication data 2016-04-30 20:39:52 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:39799: 535 Incorrect authentication data (set_id=library@mydomain.es)
  For the last cat /usr/local/cpanel/logs/access_log|grep "30/2016:20:39" result empty Apreciate help.

  0
• 

  cPanelMichael

  • May 05, 2016 20:03

  For the last cat /usr/local/cpanel/logs/access_log|grep "30/2016:20:39" result empty Apreciate help.

  
  What about in the domain access logs found under the /usr/local/apache/domlogs directory? Thank you.

  0

Please sign in to leave a comment.