Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

I am using mail server on RHEL 5 with Webmail on Squirrel mail and sendmail and found some log. Does it mean any attack on my server?

Posted on 2009-07-05
3
910 Views
Last Modified: 2013-12-18
I am using mail server on RHEL 5 with Webmail on Squirrel mail and sendmail and found some log. Does it mean any attack on my server?
I have found this log at Mail Server. Does it mean any attack on my server?
 
dovecot:
    Authentication Failures:
        rhost=::ffff:10.50.0.2 : 125 Time(s)
       root: 9 Time(s)
       sales: 3 Time(s)
       adm: 1 Time(s)
       apache: 1 Time(s)
       backup: 1 Time(s)
       bin: 1 Time(s)
       clamav: 1 Time(s)
       daemon: 1 Time(s)
       ftp: 1 Time(s)
       games: 1 Time(s)
       gopher: 1 Time(s)
       halt: 1 Time(s)
       lp: 1 Time(s)
       mail: 1 Time(s)
       mailnull: 1 Time(s)
       mysql: 1 Time(s)
       news: 1 Time(s)
       nfsnobody: 1 Time(s)
       nobody: 1 Time(s)
       operator: 1 Time(s)
       postgres: 1 Time(s)
       rpc: 1 Time(s)
       rpcuser: 1 Time(s)
       rpm: 1 Time(s)
       shutdown: 1 Time(s)
       smmsp: 1 Time(s)
       sshd: 1 Time(s)
       sync: 1 Time(s)
       uucp: 1 Time(s)
    Unknown Entries:
       check pass; user unknown: 125 Time(s)
 
 
 ---------------------- pam_unix End ------------------------- 
 
 
 --------------------- Connections (secure-log) Begin ------------------------ 
 
 
 **Unmatched Entries**
 webmin[14051]: Successful login as root from 10.50.1.6 
 webmin[15142]: Logout by root from 10.50.1.6 
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
staff
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
administrator
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
recruit
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
alias
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
office
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
samba
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
tomcat
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
webadmin
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
spam
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
virus
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
cyrus
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
oracle
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
michael
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
test
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
webmaster
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
postmaster
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
postfix
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
paul
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
guest
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
admin
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
linux
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
user
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
david
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
web
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
pgsql
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
info
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
tony
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
core
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
newsletter
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
named
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
visitor
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
ftpuser
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
username
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
administrator
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
library
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
test
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
admin
 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user
guest

Open in new window

0
Comment
Question by:aloknet21
  • 2
3 Comments
 
LVL 26

Accepted Solution

by:
jar3817 earned 500 total points
ID: 24779960
Yup. It means 10.50.0.2 (assuming you changed it when making the post) tried to login as all those users. Assuming you have decent passwords set, there is nothing to worry about. This happens all the time to my servers and is just something that is going to happen to a machine that is connected to the internet.  These scumbags just scan IP ranges looking for machines that are on and when they find one they try to login with common usernames and lame passwords.

I setup a special iptables rule to slow this down for SSH logins on my servers, but nobody but me should be logging in via SSH, you probably dont' want to do that on a mail server where people are logging in trying to get their mail.
0
 
LVL 1

Author Comment

by:aloknet21
ID: 24782933
Thank you very much.

Jar if you remember i have asked some question about mail goes to spam folder at yahoo and gmail.

My ISP has cleared all blacklisted from their side and i put a question at yahoo they have suggested some tips too but need your help too please see their response here.

> 1. The specific domain name and IP address(es) of the email machines
> that experienced the delivery issue when trying to send to Yahoo! Mail.
>
>   IP address:                   61.16.236.205
>   Domain name:                  mail.glyphinternational.com
>   DNS shows:                    [No host name is associated with this
> IP address]
>
> 2. The results of a DNS & RDNS query for the mail server with delivery
> issues showing that you are resolving IP and domain name correctly.
> Your mail server IP reverse DNS should reflect your domain in the name.
>
> Please review the following link for assistance in correct configuration
> of SMTP and DNS:
>
>   http://www.saas.nsw.edu.au/solutions/dns.html
>
> The server should have a fully qualified hostname (FQDN).  The hostname
> should resolve to an A record. (DNS) The IP address should resolve to
> the server domain name.(RDNS)  The MX record for the domain for which
> you wish to receive mail should point to the domain name of your
> dedicated mail server.  There should be a PTR record for the IP address
> of your server.
>
> We greatly appreciate your assistance and patience.
>
> Thank you again for contacting Yahoo! Mail. Your case number for this
> issue is 62072053. Please reference it in all future communication about
> this particular issue.
>
> Regards,
>
> Ashlar
>
> Yahoo! Customer Care
0
 
LVL 1

Author Closing Comment

by:aloknet21
ID: 31599884
Helpful
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Workplace bullying has increased with the use of email and social media. Retain evidence of this with email archiving to protect your employees.
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question