How do they find this stuff
I asked this before and never really got a definitive answer.
This weekend I see a few failed login attempts on email.
Whats worrying is that both these email accounts actually exist on this small private domain, neither of them have ever have been advertised, and one of which is highly unconventional, so how did this happen. ?
How did these email accounts get leaked ?
2016-05-29 20:30:23 dovecot_plain authenticator failed for 41.254.x.xx.zte-tip.wimax.dynamic.ltt.ly (mail.mydomain.co.uk) [41.254.x.xx]:29900: 535 Incorrect authentication data (set_id=j)
2016-05-29 20:30:31 dovecot_plain authenticator failed for 41.254.x.xx.zte-tip.wimax.dynamic.ltt.ly (mail.mydomain.co.uk) [41.254.x.xx]:29900: 535 Incorrect authentication data (set_id=j)
2016-05-29 20:30:39 dovecot_plain authenticator failed for 41.254.x.xx.zte-tip.wimax.dynamic.ltt.ly (mail.mydomain.co.uk) [41.254.x.xx]:29900: 535 Incorrect authentication data (set_id=hollie)
-
because your domain resolves and exists that is how the get it all they are doing is stabbing in the dark with a dictionary attack 0 -
This I guess I could accept, if I were seeing failed logins for names which didn't exist, ie fred, bill, mary, accounts, sales, etc but I don't. 0 -
Hello, Were you able to scan additional logs on this system for that IP address to see if it has accessed additional services on the server? Thank you. 0 -
can you suggest any other logs to look at ? 0 -
You could search for that IP address in /usr/local/apache/logs/error_log, /usr/local/cpanel/logs/access_log, or /usr/local/apache/domlogs/* to see if any other instances of that IP address exist. The idea is to see if it's an actual user on your system as opposed to a hacker. Thank you. 0
Please sign in to leave a comment.
Comments
5 comments