Solved

I am using mail server on RHEL 5 with Webmail on Squirrel mail and sendmail and found some log. Does it mean any attack on my server?

Posted on 2009-07-05
3
915 Views
Last Modified: 2013-12-18
I am using mail server on RHEL 5 with Webmail on Squirrel mail and sendmail and found some log. Does it mean any attack on my server?
I have found this log at Mail Server. Does it mean any attack on my server?
 
dovecot:
    Authentication Failures:
        rhost=::ffff:10.50.0.2 : 125 Time(s)
       root: 9 Time(s)
       sales: 3 Time(s)
       adm: 1 Time(s)
       apache: 1 Time(s)
       backup: 1 Time(s)
       bin: 1 Time(s)
       clamav: 1 Time(s)
       daemon: 1 Time(s)
       ftp: 1 Time(s)
       games: 1 Time(s)
       gopher: 1 Time(s)
       halt: 1 Time(s)
       lp: 1 Time(s)
       mail: 1 Time(s)
       mailnull: 1 Time(s)
       mysql: 1 Time(s)
       news: 1 Time(s)
       nfsnobody: 1 Time(s)
       nobody: 1 Time(s)
       operator: 1 Time(s)
       postgres: 1 Time(s)
       rpc: 1 Time(s)
       rpcuser: 1 Time(s)
       rpm: 1 Time(s)
       shutdown: 1 Time(s)
       smmsp: 1 Time(s)
       sshd: 1 Time(s)
       sync: 1 Time(s)
       uucp: 1 Time(s)
    Unknown Entries:
       check pass; user unknown: 125 Time(s)
 
 
 ---------------------- pam_unix End ------------------------- 
 
 
 --------------------- Connections (secure-log) Begin ------------------------ 
 
 
 **Unmatched Entries**
 webmin[14051]: Successful login as root from 10.50.1.6 
 webmin[15142]: Logout by root from 10.50.1.6 
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
staff
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
administrator
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
recruit
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
alias
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
office
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
samba
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
tomcat
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
webadmin
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
spam
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
virus
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
cyrus
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
oracle
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
michael
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
test
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
webmaster
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
postmaster
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
postfix
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
paul
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
guest
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
admin
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
linux
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
user
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
david
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
web
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
pgsql
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
info
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
tony
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
core
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
newsletter
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
named
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
visitor
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
ftpuser
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
username
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
administrator
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
library
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
test
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
admin
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
guest

Open in new window

0
Comment
Question by:aloknet21
  • 2
3 Comments
 
LVL 26

Accepted Solution

by:
jar3817 earned 500 total points
ID: 24779960
Yup. It means 10.50.0.2 (assuming you changed it when making the post) tried to login as all those users. Assuming you have decent passwords set, there is nothing to worry about. This happens all the time to my servers and is just something that is going to happen to a machine that is connected to the internet.  These scumbags just scan IP ranges looking for machines that are on and when they find one they try to login with common usernames and lame passwords.

I setup a special iptables rule to slow this down for SSH logins on my servers, but nobody but me should be logging in via SSH, you probably dont' want to do that on a mail server where people are logging in trying to get their mail.
0
 
LVL 1

Author Comment

by:aloknet21
ID: 24782933
Thank you very much.

Jar if you remember i have asked some question about mail goes to spam folder at yahoo and gmail.

My ISP has cleared all blacklisted from their side and i put a question at yahoo they have suggested some tips too but need your help too please see their response here.

> 1. The specific domain name and IP address(es) of the email machines
> that experienced the delivery issue when trying to send to Yahoo! Mail.
>
>   IP address:                   61.16.236.205
>   Domain name:                  mail.glyphinternational.com
>   DNS shows:                    [No host name is associated with this
> IP address]
>
> 2. The results of a DNS & RDNS query for the mail server with delivery
> issues showing that you are resolving IP and domain name correctly.
> Your mail server IP reverse DNS should reflect your domain in the name.
>
> Please review the following link for assistance in correct configuration
> of SMTP and DNS:
>
>   http://www.saas.nsw.edu.au/solutions/dns.html
>
> The server should have a fully qualified hostname (FQDN).  The hostname
> should resolve to an A record. (DNS) The IP address should resolve to
> the server domain name.(RDNS)  The MX record for the domain for which
> you wish to receive mail should point to the domain name of your
> dedicated mail server.  There should be a PTR record for the IP address
> of your server.
>
> We greatly appreciate your assistance and patience.
>
> Thank you again for contacting Yahoo! Mail. Your case number for this
> issue is 62072053. Please reference it in all future communication about
> this particular issue.
>
> Regards,
>
> Ashlar
>
> Yahoo! Customer Care
0
 
LVL 1

Author Closing Comment

by:aloknet21
ID: 31599884
Helpful
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AWS EC2 HTTP & HTTPS 2 79
Looking for a program called HoneyMine. 3 72
URL to post Gmail webmail issues 2 74
sed/awk/tail: how to read 3'de last line 4 44
Import PST to Exchange using Power Shell new-mailboximportrequest command, you can simply import the PST file into Exchange mailbox or archived. To know How to import PST into Exchange  2013 read the complete article.
Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question