Established connection by rogue IP

jeffschips

Well-Known Member
Jun 5, 2016
221
23
68
new york
cPanel Access Level
Root Administrator
When I run
lsof | grep ">"

imap-logi 967 dovenull 20u IPv4 20446 0t0 TCP xxxx.xxxxxxx.com:imap->145.185.xxx.xx.dyn.plus.net:62222 (ESTABLISHED)
imap-logi 967 dovenull 22u IPv4 25060 0t0 TCP bxxxx.xxxxxxx.com:imap->145.185.xxx.xx.dyn.plus.net:62225 (ESTABLISHED)

this connection is always active.

The IP is not associated with my system.

If it's of any help I am also getting more frequent notices about spamd excessive usage from csf.

Any ideas?
 

jeffschips

Well-Known Member
Jun 5, 2016
221
23
68
new york
cPanel Access Level
Root Administrator
that's what I thought but only I have imap/email accounts on the server and the ip's are none of those I use. Maybe that's someone attempting brute force? If that was the case though I would recieve a brute force message, which I'm not receiving. Plus, the connection lasts a long time.
 

cPanelAaronH

Well-Known Member
Staff member
Dec 31, 2014
70
19
133
Houston Texas
cPanel Access Level
Root Administrator
Hey there,

I would grep the mail log file in /var/log/maillog

Code:
grep 145.185 /var/log/maillog

This does seem like it's a user connecting. If that's not an IP you're familiar with, I would consider blocking the IP through CSF or Cphulk.
 

jeffschips

Well-Known Member
Jun 5, 2016
221
23
68
new york
cPanel Access Level
Root Administrator
SOLVED: Thanks that works. It's important to remember that if the logs show a connection (established) but not authenticated, it would appear that no results are returned from this command.

This command only returns those that are both established AND authenticated.

Correct?
 
Last edited: