Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Exim under attack:

Discussion in 'Security' started by sreeninair, Jun 13, 2014.

  1. sreeninair

    sreeninair Well-Known Member

    Joined:
    Dec 23, 2013
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hello,

    One of my server is under attack.

    Getting these message in /var/log/messages

    Code:
    un 13 13:00:38 same12 named[643048]: error (unexpected RCODE SERVFAIL) resolving 'host159-142-static.231-95-b.business.telecomitalia.it/A/IN': xxx.xxx.xxx.xxx#53
    Jun 13 13:00:39 same12 named[643048]: error (unexpected RCODE SERVFAIL) resolving 'host159-142-static.231-95-b.business.telecomitalia.it/A/IN': 80.22.52.131#53
    Jun 13 13:00:39 same12 named[643048]: error (unexpected RCODE SERVFAIL) resolving 'host159-142-static.231-95-b.business.telecomitalia.it/A/IN': 80.22.52.131#53
    Jun 13 13:00:39 same12 named[643048]: error (unexpected RCODE SERVFAIL) resolving 'host159-142-static.231-95-b.business.telecomitalia.it/A/IN': 217.169.119.68#53

    In exim_mainlog

    Code:
    2014-06-13 13:01:08 [274653] SMTP connection from [46.184.24.55]:46644 I=[77.23.252.110]:25 (TCP/IP connection count = 47)
    2014-06-13 13:01:08 [316718] SMTP connection from [119.195.107.122]:26056 I=[77.23.252.110]:25 lost
    2014-06-13 13:01:08 [316718] no MAIL in SMTP connection from [119.195.107.122]:26056 I=[77.23.252.110]:25 D=6s
    2014-06-13 13:01:08 [316808] no host name found for IP address 46.184.24.55
    2014-06-13 13:01:08 [316808] list matching forced to fail: failed to find host name for 46.184.24.55
    2014-06-13 13:01:08 [316808] list matching forced to fail: failed to find host name for 46.184.24.55
    2014-06-13 13:01:08 [313777] SMTP command timeout on connection from 41.252.83.52.adsl.zs2.dynamic.ltt.ly [41.252.83.52]:59709 I=[77.23.252.110]:25
    2014-06-13 13:01:08 [274653] SMTP connection from [162.233.227.161]:2223 I=[77.23.252.110]:25 (TCP/IP connection count = 46)
    2014-06-13 13:01:08 [274653] SMTP connection from [93.64.242.27]:50541 I=[77.23.252.110]:25 (TCP/IP connection count = 47)
    2014-06-13 13:01:08 [274653] SMTP connection from [187.54.174.61]:3329 I=[77.23.252.110]:25 (TCP/IP connection count = 48)
    2014-06-13 13:01:08 [316747] SMTP connection from [203.124.39.69]:47877 I=[77.23.252.110]:25 lost
    2014-06-13 13:01:08 [316747] no MAIL in SMTP connection from [203.124.39.69]:47877 I=[77.23.252.110]:25 D=6s
    2014-06-13 13:01:08 [274653] SMTP connection from [186.129.45.174]:21769 I=[77.23.252.110]:25 (TCP/IP connection count = 48)
    2014-06-13 13:01:08 [274653] SMTP connection from [182.55.247.210]:61522 I=[77.23.252.110]:25 (TCP/IP connection count = 49)
    2014-06-13 13:01:08 [316757] SMTP connection from [2.146.254.164]:1712 I=[77.23.252.110]:25 lost
    2014-06-13 13:01:08 [316757] no MAIL in SMTP connection from [2.146.254.164]:1712 I=[77.23.252.110]:25 D=5s
    2014-06-13 13:01:08 [316813] no host name found for IP address 182.55.247.210

    There is no load issue in the server.

    Code:
    ============
    
    root@00112 [~]# netstat -plan | grep :53 | wc -l
    64
    root@00112 [~]# 
    root@00112 [~]# 
    root@00112 [~]# netstat -plan | grep :25 | wc -l
    108
    root@00112 [~]# 
    =============
    Thanks
    Sreeni
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,855
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    Have you considered blocking the offending IP address with a firewall management utility such as CSF?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. sreeninair

    sreeninair Well-Known Member

    Joined:
    Dec 23, 2013
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hello cPanelMichael,

    It is not from a single ip.

    Thanks
    Sreeni
     
  4. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    575
    Likes Received:
    20
    Trophy Points:
    93
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    CSF in conjunction with LFD, may still help as it blocks IP addresses based on strings found in the log files.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice