Established connection by rogue IP

[jeffschips]

When I run
lsof | grep ">"

imap-logi 967 dovenull 20u IPv4 20446 0t0 TCP xxxx.xxxxxxx.com:imap->145.185.xxx.xx.dyn.plus.net:62222 (ESTABLISHED)
imap-logi 967 dovenull 22u IPv4 25060 0t0 TCP bxxxx.xxxxxxx.com:imap->145.185.xxx.xx.dyn.plus.net:62225 (ESTABLISHED)

this connection is always active.

The IP is not associated with my system.

If it's of any help I am also getting more frequent notices about spamd excessive usage from csf.

Any ideas?

 

[keat63]

Could this just be an end user connected to imap email ?

 

[jeffschips]

that's what I thought but only I have imap/email accounts on the server and the ip's are none of those I use. Maybe that's someone attempting brute force? If that was the case though I would recieve a brute force message, which I'm not receiving. Plus, the connection lasts a long time.

 

[cPanelAaronH]

Hey there,

I would grep the mail log file in /var/log/maillog

grep 145.185 /var/log/maillog

The cPanel & WHM Log Files | cPanel & WHM Documentation

This document describes the location of all of the log files in cPanel & WHM, Webmail, and MySQL®. This document also provides examples of each log file.

docs.cpanel.net

This does seem like it's a user connecting. If that's not an IP you're familiar with, I would consider blocking the IP through CSF or Cphulk.

 

[jeffschips]

SOLVED: Thanks that works. It's important to remember that if the logs show a connection (established) but not authenticated, it would appear that no results are returned from this command.

This command only returns those that are both established AND authenticated.

Correct?

 

[cPRex]

@jeffschips - can you let me know what you mean when you say "the command" ? Are you referring to the initial lsof of the search of /var/log/maillog?