summitscout

Member
Sep 7, 2007
16
0
51
Is it common for cPHulk to have duplicate entries? (All of them are duplicated.)

I've just started using this tool, but since documentation and education on how it functions is so sparse, I'm not sure if there is something I don't understand or maybe have misconfigured.

See attached screenshots.Screen Shot 2019-08-12 at 7.39.58 PM.pngScreen Shot 2019-08-12 at 7.40.39 PM.png
 

summitscout

Member
Sep 7, 2007
16
0
51
Not sure if it is related, but I noted a curious pattern in the exim_rejectlog:
A failed attempt is followed a few seconds later by another – but just for the username and from another IP.

It is quite clearly coordinated. Not sure what the purpose is. Must be an attempt to exploit something...

Code:
2019-08-11 13:02:44 dovecot_login authenticator failed for ip55.ip-147-135-109.us (99rdp.domain) [147.135.109.55]:52626: 535 Incorrect authentication data ([email protected])
2019-08-11 13:02:44 dovecot_login authenticator failed for ip55.ip-147-135-109.us (99rdp.domain) [147.135.109.55]:52621: 535 Incorrect authentication data ([email protected])
2019-08-11 13:02:45 dovecot_login authenticator failed for ip55.ip-147-135-109.us (99rdp.domain) [147.135.109.55]:52921: 535 Incorrect authentication data ([email protected])
2019-08-11 22:32:00 dovecot_plain authenticator failed for ([191.53.222.91]) [191.53.222.91]:43872: 535 Incorrect authentication data ([email protected])
2019-08-11 22:32:07 dovecot_plain authenticator failed for ([191.53.21.80]) [191.53.21.80]:41202: 535 Incorrect authentication data (set_id=moe)
2019-08-11 23:41:42 dovecot_plain authenticator failed for ([177.154.234.154]) [177.154.234.154]:48880: 535 Incorrect authentication data ([email protected])
2019-08-11 23:41:49 dovecot_plain authenticator failed for ([187.120.130.65]) [187.120.130.65]:42656: 535 Incorrect authentication data (set_id=moe)
2019-08-12 01:42:49 dovecot_plain authenticator failed for ([179.108.245.97]) [179.108.245.97]:57962: 535 Incorrect authentication data ([email protected])
2019-08-12 01:42:56 dovecot_plain authenticator failed for ([177.11.73.238]) [177.11.73.238]:43602: 535 Incorrect authentication data (set_id=moe)
2019-08-12 02:12:49 dovecot_plain authenticator failed for 187-84-174-84.beltraonet.com.br [187.84.174.84]:58200: 535 Incorrect authentication data ([email protected])
2019-08-12 02:13:08 dovecot_plain authenticator failed for ([187.62.149.78]) [187.62.149.78]:46973: 535 Incorrect authentication data (set_id=moe)
2019-08-12 03:24:03 dovecot_plain authenticator failed for ([177.154.238.117]) [177.154.238.117]:58716: 535 Incorrect authentication data ([email protected])
2019-08-12 03:24:10 dovecot_plain authenticator failed for ([189.51.103.63]) [189.51.103.63]:56748: 535 Incorrect authentication data (set_id=moe)
2019-08-12 04:13:42 dovecot_plain authenticator failed for ([187.1.27.76]) [187.1.27.76]:54484: 535 Incorrect authentication data ([email protected])
2019-08-12 04:13:49 dovecot_plain authenticator failed for ([131.108.244.87]) [131.108.244.87]:41214: 535 Incorrect authentication data (set_id=moe)
2019-08-12 05:28:23 dovecot_plain authenticator failed for ([201.46.59.120]) [201.46.59.120]:49152: 535 Incorrect authentication data ([email protected])
2019-08-12 05:28:34 dovecot_plain authenticator failed for ([191.241.167.51]) [191.241.167.51]:55148: 535 Incorrect authentication data (set_id=moe)
2019-08-12 06:06:58 dovecot_plain authenticator failed for ([138.118.169.13]) [138.118.169.13]:54321: 535 Incorrect authentication data ([email protected])
2019-08-12 06:07:07 dovecot_plain authenticator failed for ([191.241.167.107]) [191.241.167.107]:33257: 535 Incorrect authentication data (set_id=moe)
2019-08-12 07:00:33 dovecot_plain authenticator failed for ([141.98.80.74]) [141.98.80.74]:39058: 535 Incorrect authentication data ([email protected])
2019-08-12 07:19:11 dovecot_plain authenticator failed for ([187.120.129.247]) [187.120.129.247]:35619: 535 Incorrect authentication data ([email protected])
2019-08-12 07:19:18 dovecot_plain authenticator failed for ([179.108.240.126]) [179.108.240.126]:41823: 535 Incorrect authentication data (set_id=moe)
2019-08-12 08:42:55 dovecot_plain authenticator failed for ([191.240.25.157]) [191.240.25.157]:56572: 535 Incorrect authentication data ([email protected])
2019-08-12 08:43:02 dovecot_plain authenticator failed for ([138.219.220.227]) [138.219.220.227]:60868: 535 Incorrect authentication data (set_id=moe)
2019-08-12 09:11:53 dovecot_plain authenticator failed for ([201.150.22.159]) [201.150.22.159]:43977: 535 Incorrect authentication data ([email protected])
2019-08-12 09:12:00 dovecot_plain authenticator failed for 168-0-224-65.dynamic.telnetdns.com.br [168.0.224.65]:36557: 535 Incorrect authentication data (set_id=moe)
2019-08-12 10:38:13 dovecot_plain authenticator failed for ([191.53.237.246]) [191.53.237.246]:40878: 535 Incorrect authentication data ([email protected])
2019-08-12 10:38:21 dovecot_plain authenticator failed for ([191.53.254.71]) [191.53.254.71]:33871: 535 Incorrect authentication data (set_id=moe)
2019-08-12 11:31:11 dovecot_plain authenticator failed for ([191.53.239.169]) [191.53.239.169]:36109: 535 Incorrect authentication data ([email protected])
2019-08-12 11:31:19 dovecot_plain authenticator failed for ([191.53.221.37]) [191.53.221.37]:45831: 535 Incorrect authentication data (set_id=moe)
2019-08-12 12:15:48 dovecot_plain authenticator failed for ([177.36.43.83]) [177.36.43.83]:41043: 535 Incorrect authentication data ([email protected])
2019-08-12 12:15:55 dovecot_plain authenticator failed for ([177.21.128.158]) [177.21.128.158]:53345: 535 Incorrect authentication data (set_id=moe)
2019-08-12 13:13:37 dovecot_plain authenticator failed for ([191.53.197.186]) [191.53.197.186]:33798: 535 Incorrect authentication data ([email protected])
2019-08-12 13:13:45 dovecot_plain authenticator failed for ([179.108.245.189]) [179.108.245.189]:53582: 535 Incorrect authentication data (set_id=moe)
2019-08-12 14:08:46 dovecot_plain authenticator failed for ([186.216.153.194]) [186.216.153.194]:46824: 535 Incorrect authentication data ([email protected])
2019-08-12 14:08:53 dovecot_plain authenticator failed for ([177.92.245.134]) [177.92.245.134]:42220: 535 Incorrect authentication data (set_id=moe)
2019-08-12 15:40:45 dovecot_plain authenticator failed for ([177.92.245.46]) [177.92.245.46]:34233: 535 Incorrect authentication data (s[email protected])
2019-08-12 15:40:52 dovecot_plain authenticator failed for ([201.131.180.160]) [201.131.180.160]:38912: 535 Incorrect authentication data (set_id=moe)
2019-08-12 16:54:24 dovecot_plain authenticator failed for ([138.94.148.222]) [138.94.148.222]:59253: 535 Incorrect authentication data ([email protected])
2019-08-12 16:54:32 dovecot_plain authenticator failed for ([179.108.240.133]) [179.108.240.133]:38516: 535 Incorrect authentication data (set_id=moe)
2019-08-12 17:09:42 dovecot_plain authenticator failed for ([141.98.80.74]) [141.98.80.74]:22188: 535 Incorrect authentication data ([email protected])
2019-08-12 17:26:59 dovecot_plain authenticator failed for ([177.130.139.117]) [177.130.139.117]:40158: 535 Incorrect authentication data ([email protected])
2019-08-12 17:27:09 dovecot_plain authenticator failed for ([138.97.246.253]) [138.97.246.253]:46672: 535 Incorrect authentication data (set_id=moe)
2019-08-12 19:03:34 dovecot_plain authenticator failed for ([131.108.244.123]) [131.108.244.123]:54198: 535 Incorrect authentication data ([email protected])
2019-08-12 19:03:41 dovecot_plain authenticator failed for ([177.55.150.247]) [177.55.150.247]:53874: 535 Incorrect authentication data (set_id=moe)
2019-08-12 19:39:59 dovecot_plain authenticator failed for ([138.122.36.171]) [138.122.36.171]:53378: 535 Incorrect authentication data ([email protected])
2019-08-12 19:40:06 dovecot_plain authenticator failed for ([191.53.59.86]) [191.53.59.86]:54942: 535 Incorrect authentication data (set_id=moe)
2019-08-12 20:06:56 dovecot_plain authenticator failed for ([141.98.80.74]) [141.98.80.74]:59522: 535 Incorrect authentication data ([email protected])
2019-08-12 20:09:31 dovecot_plain authenticator failed for ([191.53.254.166]) [191.53.254.166]:43655: 535 Incorrect authentication data ([email protected])
2019-08-12 20:09:39 dovecot_plain authenticator failed for ([177.154.235.208]) [177.154.235.208]:44693: 535 Incorrect authentication data (set_id=moe)
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
6,762
535
263
Houston
cPanel Access Level
DataCenter Provider
Hello,

The blocks from cphulkd do indeed look like duplicates, though the output from the maillog does not look to be related. Is anything noted in the cPhulkd related logs at /usr/local/cpanel/logs/
 

summitscout

Member
Sep 7, 2007
16
0
51
Thanks, Lauren!

cphulkd.log shows entries are doubled as well. Quadrupled even since each entry is listed for each of two violations, then both doubled. See example set:

Code:
[2019-08-12 15:40:43 -0700] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[177.92.245.46] [Authentication Database]=[mail] [Username]=[[email protected]] (1/3 failures) (blocked until [Tue Aug 13 22:40:43 2019 UTC/Tue Aug 13 15:40:43 2019 LOCAL])
[2019-08-12 15:40:43 -0700] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[177.92.245.46] [Authentication Database]=[mail] [Username]=[[email protected]]
[2019-08-12 15:40:43 -0700] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[177.92.245.46] [Authentication Database]=[mail] [Username]=[[email protected]] (1/3 failures) (blocked until [Tue Aug 13 22:40:43 2019 UTC/Tue Aug 13 15:40:43 2019 LOCAL])
[2019-08-12 15:40:43 -0700] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[177.92.245.46] [Authentication Database]=[mail] [Username]=[[email protected]]
[2019-08-12 15:40:50 -0700] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[201.131.180.160] [Authentication Database]=[mail] [Username]=[moe] (1/3 failures) (blocked until [Tue Aug 13 22:40:50 2019 UTC/Tue Aug 13 15:40:50 2019 LOCAL])
[2019-08-12 15:40:50 -0700] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[201.131.180.160] [Authentication Database]=[mail] [Username]=[moe]
[2019-08-12 15:40:50 -0700] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[201.131.180.160] [Authentication Database]=[mail] [Username]=[moe] (1/3 failures) (blocked until [Tue Aug 13 22:40:50 2019 UTC/Tue Aug 13 15:40:50 2019 LOCAL])
[2019-08-12 15:40:50 -0700] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[201.131.180.160] [Authentication Database]=[mail] [Username]=[moe]
[2019-08-12 16:10:51 -0700] info [cPhulkd] DB processor shutdown via SIGTERM with pid 31487
[2019-08-12 16:10:51 -0700] info [cPhulkd] processor startup with pid 31096
[2019-08-12 16:10:51 -0700] info [cPhulkd] DB processor startup with pid 19654
[2019-08-12 16:54:22 -0700] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[138.94.148.222] [Authentication Database]=[mail] [Username]=[[email protected]] (1/3 failures) (blocked until [Tue Aug 13 23:54:22 2019 UTC/Tue Aug 13 16:54:22 2019 LOCAL])
[2019-08-12 16:54:22 -0700] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[138.94.148.222] [Authentication Database]=[mail] [Username]=[[email protected]]
[2019-08-12 16:54:22 -0700] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[138.94.148.222] [Authentication Database]=[mail] [Username]=[[email protected]] (1/3 failures) (blocked until [Tue Aug 13 23:54:22 2019 UTC/Tue Aug 13 16:54:22 2019 LOCAL])
[2019-08-12 16:54:22 -0700] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[138.94.148.222] [Authentication Database]=[mail] [Username]=[[email protected]]
[2019-08-12 16:54:30 -0700] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[179.108.240.133] [Authentication Database]=[mail] [Username]=[moe] (1/3 failures) (blocked until [Tue Aug 13 23:54:30 2019 UTC/Tue Aug 13 16:54:30 2019 LOCAL])
[2019-08-12 16:54:30 -0700] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[179.108.240.133] [Authentication Database]=[mail] [Username]=[moe]
[2019-08-12 16:54:30 -0700] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[179.108.240.133] [Authentication Database]=[mail] [Username]=[moe] (1/3 failures) (blocked until [Tue Aug 13 23:54:30 2019 UTC/Tue Aug 13 16:54:30 2019 LOCAL])
[2019-08-12 16:54:30 -0700] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[179.108.240.133] [Authentication Database]=[mail] [Username]=[moe]
[2019-08-12 17:09:40 -0700] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[141.98.80.74] [Authentication Database]=[mail] [Username]=[[email protected]] (1/3 failures) (blocked until [Wed Aug 14 00:09:40 2019 UTC/Tue Aug 13 17:09:40 2019 LOCAL])
[2019-08-12 17:09:40 -0700] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[141.98.80.74] [Authentication Database]=[mail] [Username]=[[email protected]]
[2019-08-12 17:09:40 -0700] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[141.98.80.74] [Authentication Database]=[mail] [Username]=[[email protected]] (1/3 failures) (blocked until [Wed Aug 14 00:09:40 2019 UTC/Tue Aug 13 17:09:40 2019 LOCAL])
[2019-08-12 17:09:40 -0700] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[141.98.80.74] [Authentication Database]=[mail] [Username]=[[email protected]]
[2019-08-12 17:26:57 -0700] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[177.130.139.117] [Authentication Database]=[mail] [Username]=[[email protected]] (1/3 failures) (blocked until [Wed Aug 14 00:26:57 2019 UTC/Tue Aug 13 17:26:57 2019 LOCAL])
[2019-08-12 17:26:57 -0700] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[177.130.139.117] [Authentication Database]=[mail] [Username]=[[email protected]]
[2019-08-12 17:26:57 -0700] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[177.130.139.117] [Authentication Database]=[mail] [Username]=[[email protected]] (1/3 failures) (blocked until [Wed Aug 14 00:26:57 2019 UTC/Tue Aug 13 17:26:57 2019 LOCAL])
[2019-08-12 17:26:57 -0700] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[177.130.139.117] [Authentication Database]=[mail] [Username]=[[email protected]]
[2019-08-12 17:27:07 -0700] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[138.97.246.253] [Authentication Database]=[mail] [Username]=[moe] (1/3 failures) (blocked until [Wed Aug 14 00:27:07 2019 UTC/Tue Aug 13 17:27:07 2019 LOCAL])
[2019-08-12 17:27:07 -0700] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[138.97.246.253] [Authentication Database]=[mail] [Username]=[moe]
[2019-08-12 17:27:07 -0700] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[138.97.246.253] [Authentication Database]=[mail] [Username]=[moe] (1/3 failures) (blocked until [Wed Aug 14 00:27:07 2019 UTC/Tue Aug 13 17:27:07 2019 LOCAL])
[2019-08-12 17:27:07 -0700] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[138.97.246.253] [Authentication Database]=[mail] [Username]=[moe]
[2019-08-12 19:03:32 -0700] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[131.108.244.123] [Authentication Database]=[mail] [Username]=[[email protected]] (1/3 failures) (blocked until [Wed Aug 14 02:03:32 2019 UTC/Tue Aug 13 19:03:32 2019 LOCAL])
[2019-08-12 19:03:32 -0700] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[131.108.244.123] [Authentication Database]=[mail] [Username]=[[email protected]]
[2019-08-12 19:03:32 -0700] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[131.108.244.123] [Authentication Database]=[mail] [Username]=[[email protected]] (1/3 failures) (blocked until [Wed Aug 14 02:03:32 2019 UTC/Tue Aug 13 19:03:32 2019 LOCAL])
[2019-08-12 19:03:32 -0700] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[dovecot] [Local IP Address]=[#.#.#.#] [Remote IP Address]=[131.108.244.123] [Authentication Database]=[mail] [Username]=[[email protected]]
Is this normal or abnormal?

Nearly the entire log looks this way – except for three early entries. That is possibly before I blacklisted a few countries. I don't recall when I enabled that. Is there a config record somewhere?
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
6,762
535
263
Houston
cPanel Access Level
DataCenter Provider
Hi @summitscout


This is definitely abnormal - country blocks shouldn't cause duplicates like this. Can you show me the output of the following:

Code:
ps faux |egrep 'cPhulk|queueprocd|tailwatch'
What do you mean by config record?
 

summitscout

Member
Sep 7, 2007
16
0
51
Output:
Bash:
[email protected] [~]# ps faux |egrep 'cPhulk|queueprocd|tailwatch'
root      1744  0.0  0.2  45160  8816 ?        S    Aug01   0:40 queueprocd - waiting up to 60s to process a task
root     20867  0.0  0.0 112712   952 pts/0    S+   13:46   0:00          \_ grep -E --color=auto cPhulk|queueprocd|tailwatch
root     31096  0.0  0.2 151464 11024 ?        S    Aug07   0:36 cPhulkd - processor
root     21047  0.0  0.2 151004 10292 ?        S    06:43   0:00  \_ cPhulkd - dbprocessor
root      6740  0.0  0.4  68844 17488 ?        S    Aug13   0:23 tailwatchd

By config record, I am wondering if the config file reflects datetime it was changed – i.e. when I added the country blocks.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
6,762
535
263
Houston
cPanel Access Level
DataCenter Provider
Hi @summitscout

Thanks for providing that, the output appears normal. At this point I'd suggest you open a ticket, you can do so using the link in my signature. Once open please provide the ticket ID here so that we can update this thread with the outcome.


Thanks!
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
6,762
535
263
Houston
cPanel Access Level
DataCenter Provider
Hi @summitscout


Thank you for that, I just checked in on the ticket and found that the analysts were unable to actively reproduce the issue and blocks were not being logged in duplicate at this time. If you do find that the behavior begins to present itself once more, before making any changes I'd suggest responding to the ticket.