Solved

I am using mail server on RHEL 5 with Webmail on Squirrel mail and sendmail and found some log. Does it mean any attack on my server?

Posted on 2009-07-05
3
896 Views
Last Modified: 2013-12-18
I am using mail server on RHEL 5 with Webmail on Squirrel mail and sendmail and found some log. Does it mean any attack on my server?
I have found this log at Mail Server. Does it mean any attack on my server?
 

dovecot:

    Authentication Failures:

        rhost=::ffff:10.50.0.2 : 125 Time(s)

       root: 9 Time(s)

       sales: 3 Time(s)

       adm: 1 Time(s)

       apache: 1 Time(s)

       backup: 1 Time(s)

       bin: 1 Time(s)

       clamav: 1 Time(s)

       daemon: 1 Time(s)

       ftp: 1 Time(s)

       games: 1 Time(s)

       gopher: 1 Time(s)

       halt: 1 Time(s)

       lp: 1 Time(s)

       mail: 1 Time(s)

       mailnull: 1 Time(s)

       mysql: 1 Time(s)

       news: 1 Time(s)

       nfsnobody: 1 Time(s)

       nobody: 1 Time(s)

       operator: 1 Time(s)

       postgres: 1 Time(s)

       rpc: 1 Time(s)

       rpcuser: 1 Time(s)

       rpm: 1 Time(s)

       shutdown: 1 Time(s)

       smmsp: 1 Time(s)

       sshd: 1 Time(s)

       sync: 1 Time(s)

       uucp: 1 Time(s)

    Unknown Entries:

       check pass; user unknown: 125 Time(s)

 

 

 ---------------------- pam_unix End ------------------------- 
 

 

 --------------------- Connections (secure-log) Begin ------------------------ 
 

 

 **Unmatched Entries**

 webmin[14051]: Successful login as root from 10.50.1.6 

 webmin[15142]: Logout by root from 10.50.1.6 

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

staff

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

administrator

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

recruit

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

alias

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

office

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

samba

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

tomcat

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

webadmin

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

spam

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

virus

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

cyrus

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

oracle

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

michael

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

test

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

webmaster

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

postmaster

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

postfix

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

paul

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

guest

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

admin

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

linux

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

user

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

david

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

web

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

pgsql

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

info

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

tony

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

core

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

newsletter

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

named

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

visitor

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

ftpuser

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

username

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

administrator

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

library

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

test

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

admin

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user

guest

Open in new window

0
Comment
Question by:aloknet21
  • 2
3 Comments
 
LVL 26

Accepted Solution

by:
jar3817 earned 500 total points
ID: 24779960
Yup. It means 10.50.0.2 (assuming you changed it when making the post) tried to login as all those users. Assuming you have decent passwords set, there is nothing to worry about. This happens all the time to my servers and is just something that is going to happen to a machine that is connected to the internet.  These scumbags just scan IP ranges looking for machines that are on and when they find one they try to login with common usernames and lame passwords.

I setup a special iptables rule to slow this down for SSH logins on my servers, but nobody but me should be logging in via SSH, you probably dont' want to do that on a mail server where people are logging in trying to get their mail.
0
 
LVL 1

Author Comment

by:aloknet21
ID: 24782933
Thank you very much.

Jar if you remember i have asked some question about mail goes to spam folder at yahoo and gmail.

My ISP has cleared all blacklisted from their side and i put a question at yahoo they have suggested some tips too but need your help too please see their response here.

> 1. The specific domain name and IP address(es) of the email machines
> that experienced the delivery issue when trying to send to Yahoo! Mail.
>
>   IP address:                   61.16.236.205
>   Domain name:                  mail.glyphinternational.com
>   DNS shows:                    [No host name is associated with this
> IP address]
>
> 2. The results of a DNS & RDNS query for the mail server with delivery
> issues showing that you are resolving IP and domain name correctly.
> Your mail server IP reverse DNS should reflect your domain in the name.
>
> Please review the following link for assistance in correct configuration
> of SMTP and DNS:
>
>   http://www.saas.nsw.edu.au/solutions/dns.html
>
> The server should have a fully qualified hostname (FQDN).  The hostname
> should resolve to an A record. (DNS) The IP address should resolve to
> the server domain name.(RDNS)  The MX record for the domain for which
> you wish to receive mail should point to the domain name of your
> dedicated mail server.  There should be a PTR record for the IP address
> of your server.
>
> We greatly appreciate your assistance and patience.
>
> Thank you again for contacting Yahoo! Mail. Your case number for this
> issue is 62072053. Please reference it in all future communication about
> this particular issue.
>
> Regards,
>
> Ashlar
>
> Yahoo! Customer Care
0
 
LVL 1

Author Closing Comment

by:aloknet21
ID: 31599884
Helpful
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Automapping, a wonderful feature with Exchange 2010 (SP2 onwards I believe), allows additional/Shared mailboxes that a user has access to be automatically mapped on Outlook client, simplifying the process by adding them while Outlook launches. Ho…
New-MailboxSearch Powershell Command and step by step approach to Search and Extract Emails form Exchange 2013 Journaling server.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now