Mail server log shows excessive failed logins from IP address in China

Posted on 2006-05-24
Last Modified: 2008-02-01
Hi.  So I got to work this morning and received an email message from GoDaddy, notifying me that my server had exceeded its maximum number of 1000 SMTP relays yesterday.  I checked my var/log/messages log and noticed that a huge number of attempts to authenticate had been made yesterday by an IP address in China.  The following entry:

May 23 17:36:49 outdoorweb sshd(pam_unix)[14648]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=  user=root

was listed many, many times.  This started at 17:35 and occured every 1 to 5 seconds and lasted till about 17:42.

All of my maillog files were completely empty.  

I don't know where to find the SMTP log on a Linux Redhat Fedora server.  Can anyone tell me where to look?

My first thought was that one of my website clients has a virus on their computer and it's going crazy sending messages.  That's why I was hoping to be able to find an SMTP log showing who was sending messages and at one time.  But then with the weird thing going on with the IP address in China...

Any advice would be greatly appreciated.

Question by:gboethin
    LVL 23

    Accepted Solution

    Your /var/log/messages log is showing a dictionary-based password attack.  I see them all the time on my system.  Spammers are attempting log into the system using thousands of common login names and passwords.   Judging by the message from GoDaddy, they eventually succeeded, and started sending out spam from your system.  After relaying 1000 outgoing messages through your server, the GoDaddy limit tripped, and you were alerted.

    You can use DenyHosts to limit ssh dictionary attacks:

    You should also your mail server configured to prevent open relaying:
    LVL 23

    Expert Comment

    My sample size is small, but most of the other servers I have encountered that are experiencing these attacks are also registered with GoDaddy.  I wonder if GoDaddy has a WhoIs whole that is allowing these crackers to mine their registered domain names.

    Also, since the attack apparently succeeded,  you have a weak username/password combination.   You might be able to determine the weak username by looking toward the end of the list failed logins for a successful login.  You might also determine that from the SMTP logs ... which you cannot locate.

    The location of the mail logs depend upon the distro, mail server used, and its specific configuration.  But look in obvious places like  /var/log/mail, /var/log/qmail, etc.

    Author Comment

    Thanks for the replies.  I went through my message log and saw that these attempts to crack passwords have been going on for some time now.  I assume that I would have seen some kind of successful login message if they'd been successful in guessing my password.  I just logged out and logged back into my server via Putty and noticed that there was a message indicating that the login was successful.  

    I'm thinking that they haven't cracked the password.  The password is very strong and contains an odd combination of letters and numbers.  There is no rhyme or reason to the numbers, so these programs would have to just be generating random numbers to actually get the numeric portion correct.

    What type of protocol are these guys trying to gain access to?  Is it SSH?

    Also, my SMTP server is not an open relay.  It requires authentication by the users.  It's been so long since I set that up... but it seems like I'm using qmail-smtpd as the SMTP server.  I can't remember what files you edit related to xinetd to check that... like I said, it's been so long.  

    I found a mail log directory that shows what appears to be recent SMTP activity.  I just sent a message from one of my email accounts and noticed that it recorded an action with my ISP's IP listed.  Though, there's no time and it doesn't show user accounts or email addresses.  

    The following combination of letters/numbers is prefixed to all the lines in this log:
    Is there any way of knowing what this means?

    Is there a log any where showing SMTP authentication?  That's probably what I need to find to figure out who's sending all these messages.  If not, I guess the best thing to do would be to start going through the log files and find big groups of the same IP address.

    Any other suggestions?

    Thanks for the help so far, and I'm going to be doing something to prevent the dictionary attacks.  

    Author Comment

    Another question.  Is there any way to simply restrict any kind of remote access to an IP address range?  Like saying, if the IP address isn't within the 111.111.111.* range access isn't possible for certain protcols like SSH.  I know how to do it with FTP but not with SSH.

    LVL 12

    Assisted Solution

    Actually, you're being "harvested."

    That means, a computer in China, usually run by some ad agencies through various offshore accounts all the way to China, is gathering usernames from your domain so that they can publish them and get you lots of spam in the future.

    When someone tries to authenticate with a script, and the script quits after failed authentication, they know one thing: does the username exist on this domain?

    The answer, of course, tells them which accounts are valid for your domain and once they have those names they will know all of the users they can guess at on your domain.  This is called harvesting, although it can also be called "data mining."

    Both are illegal in the United States, but, apparently not in China and a good number of other countries.

    You have to realise the motive in someone trying to login to a thousand failed usernames on your domain or via email: gather information on users.

    The offshore route, going from U.S. to another country, then coming back in [backdooring] is also illegal in the U.S., but until you have evidence and provide it to some authority, they will continue to operate because they're getting away with it.  Tracing this hacking back to the U.S. origins, the majority of which come from New York City advertisers and list compilers, is somewhat tedious, but it can be done if you trace the ownership long enough.

    The script they run is a form of vudo.c

    It starts with numerous attempts to get root, failing that, it goes through a long list of guessed at names for about an hour.  It gets most common American names [which is how you know it's pretty much an American backdoor thingee from our friendly ad guys on Madison Avenue] this way.  Thereafter. you get spam and you don't know how anyone got an email address that you never listed anywhere.  Secondly, unscrupulous and illegal guy in NYC will then sell all of your email addresses on CD's and DVD's, thus breaking another law, or two, copyright and illegal distribution laws.  They used to do this with phone boooks, and get everyone's name and address and send them junk mail.  Now, they just harvest from the Internet.  But it's all illegal, which is why they use offshore accounts, to try and evade U.S. law.

    It's disgusting what some people will do to pay the loft rent in NYC and mortgage in Connecticutt.  A lot of these domains trace back, eventually, to either of the two, often a post office box near some fancy country club.  Another way you know it's your friends in New York [Connecticutt is a borough of New York City where all the over-acheivers drive home to, away from the inner city].

    GoDaddy's Bob Parson's should have been away of this and his servers should have logged them and someone should try to stop these weasels.
    LVL 12

    Expert Comment

    By the way, it shows that ssh and other security schemes all have a new security hole: they give out user information, even when they say bad password or no such user.

    Motive; the security experts missed the motive in wasting time trying to login with bad passwords.  The don' really want to login or crack your system, they want the names of the users!  And they're getting them.

    You will probably need a new script of mail program filter that does not reply at all to such attempts, no "bad password" no "no such user" so that they can't get the information on which users exist and which users do not exist.

    It would be nice if the super security guys would first see how this scheme works, and then come up with something to do about it.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    You ever wonder how to backup Linux system files just like Windows System Restore?  Well you can use Timeshift in Linux to perform those similar action.  This tutorial will show you how to backup your system files and keep regular intervals. Note…
    The purpose of this article is to demonstrate how we can use conditional statements using Python.
    Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
    Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now