The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim under attack:

Discussion in 'Security' started by sreeninair, Jun 13, 2014.

  1. sreeninair

    sreeninair Well-Known Member

    Joined:
    Dec 23, 2013
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hello,

    One of my server is under attack.

    Getting these message in /var/log/messages

    Code:
    un 13 13:00:38 same12 named[643048]: error (unexpected RCODE SERVFAIL) resolving 'host159-142-static.231-95-b.business.telecomitalia.it/A/IN': xxx.xxx.xxx.xxx#53
    Jun 13 13:00:39 same12 named[643048]: error (unexpected RCODE SERVFAIL) resolving 'host159-142-static.231-95-b.business.telecomitalia.it/A/IN': 80.22.52.131#53
    Jun 13 13:00:39 same12 named[643048]: error (unexpected RCODE SERVFAIL) resolving 'host159-142-static.231-95-b.business.telecomitalia.it/A/IN': 80.22.52.131#53
    Jun 13 13:00:39 same12 named[643048]: error (unexpected RCODE SERVFAIL) resolving 'host159-142-static.231-95-b.business.telecomitalia.it/A/IN': 217.169.119.68#53

    In exim_mainlog

    Code:
    2014-06-13 13:01:08 [274653] SMTP connection from [46.184.24.55]:46644 I=[77.23.252.110]:25 (TCP/IP connection count = 47)
    2014-06-13 13:01:08 [316718] SMTP connection from [119.195.107.122]:26056 I=[77.23.252.110]:25 lost
    2014-06-13 13:01:08 [316718] no MAIL in SMTP connection from [119.195.107.122]:26056 I=[77.23.252.110]:25 D=6s
    2014-06-13 13:01:08 [316808] no host name found for IP address 46.184.24.55
    2014-06-13 13:01:08 [316808] list matching forced to fail: failed to find host name for 46.184.24.55
    2014-06-13 13:01:08 [316808] list matching forced to fail: failed to find host name for 46.184.24.55
    2014-06-13 13:01:08 [313777] SMTP command timeout on connection from 41.252.83.52.adsl.zs2.dynamic.ltt.ly [41.252.83.52]:59709 I=[77.23.252.110]:25
    2014-06-13 13:01:08 [274653] SMTP connection from [162.233.227.161]:2223 I=[77.23.252.110]:25 (TCP/IP connection count = 46)
    2014-06-13 13:01:08 [274653] SMTP connection from [93.64.242.27]:50541 I=[77.23.252.110]:25 (TCP/IP connection count = 47)
    2014-06-13 13:01:08 [274653] SMTP connection from [187.54.174.61]:3329 I=[77.23.252.110]:25 (TCP/IP connection count = 48)
    2014-06-13 13:01:08 [316747] SMTP connection from [203.124.39.69]:47877 I=[77.23.252.110]:25 lost
    2014-06-13 13:01:08 [316747] no MAIL in SMTP connection from [203.124.39.69]:47877 I=[77.23.252.110]:25 D=6s
    2014-06-13 13:01:08 [274653] SMTP connection from [186.129.45.174]:21769 I=[77.23.252.110]:25 (TCP/IP connection count = 48)
    2014-06-13 13:01:08 [274653] SMTP connection from [182.55.247.210]:61522 I=[77.23.252.110]:25 (TCP/IP connection count = 49)
    2014-06-13 13:01:08 [316757] SMTP connection from [2.146.254.164]:1712 I=[77.23.252.110]:25 lost
    2014-06-13 13:01:08 [316757] no MAIL in SMTP connection from [2.146.254.164]:1712 I=[77.23.252.110]:25 D=5s
    2014-06-13 13:01:08 [316813] no host name found for IP address 182.55.247.210

    There is no load issue in the server.

    Code:
    ============
    
    root@00112 [~]# netstat -plan | grep :53 | wc -l
    64
    root@00112 [~]# 
    root@00112 [~]# 
    root@00112 [~]# netstat -plan | grep :25 | wc -l
    108
    root@00112 [~]# 
    =============
    Thanks
    Sreeni
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. sreeninair

    sreeninair Well-Known Member

    Joined:
    Dec 23, 2013
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hello cPanelMichael,

    It is not from a single ip.

    Thanks
    Sreeni
     
  4. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    569
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    CSF in conjunction with LFD, may still help as it blocks IP addresses based on strings found in the log files.
     
Loading...

Share This Page