The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Get real IP for attack on IMAP?

Discussion in 'Security' started by speckados, Apr 28, 2016.

  1. speckados

    speckados Well-Known Member

    Joined:
    May 21, 2003
    Messages:
    291
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Acequias :: Granada :: España
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    I see some failed auth on IMAP

    Code:
    cat /var/log/maillog|grep shipping
    Apr 28 16:35:13 hq dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user shipping
    Apr 28 17:43:44 hq dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user shipping
    Near the time, there not any entry on log for determining IP.

    Only on /var/log/exim_mainlog get some
    Code:
    2016-04-28 16:35:15 dovecot_login authenticator failed for localhost (HOSTNAME) [127.0.0.1]:58132: 535 Incorrect authentication data (set_id=shipping)
    2016-04-28 17:43:46 dovecot_login authenticator failed for localhost (HOSTNAME) [127.0.0.1]:58648: 535 Incorrect authentication data (set_id=shipping)
    Apreciate help.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The connection can come from localhost (127.0.0.1) in cases where the connection is made from a script that's uploaded to an account, or through Webmail. Do you have cPHulk brute force protection enabled? Do you notice any corresponding entries in /usr/local/cpanel/logs/access_log or in the Apache domain access logs that correspond with those login attempts?

    Thank you.
     
    quizknows likes this.
  3. speckados

    speckados Well-Known Member

    Joined:
    May 21, 2003
    Messages:
    291
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Acequias :: Granada :: España
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi.

    I don't see any relevant for access on same time or with same user on /usr/local/cpanel/logs/access_log

    I see too many and diferents users on system.

    Code:
    2016-04-30 20:04:24 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:39365: 535 Incorrect authentication data (set_id=billing)
    2016-04-30 20:17:30 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:49296: 535 Incorrect authentication data (set_id=library@mydomain.es)
    2016-04-30 20:23:55 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:53956: 535 Incorrect authentication data (set_id=anaferreras@recuperaciones-mydomain.com)
    2016-04-30 20:24:02 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:53984: 535 Incorrect authentication data (set_id=anaferreras@recuperaciones-mydomain.com)
    2016-04-30 20:24:13 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:54041: 535 Incorrect authentication data (set_id=anaferreras@recuperaciones-mydomain.com)
    2016-04-30 20:24:31 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:54202: 535 Incorrect authentication data (set_id=AB\023)
    2016-04-30 20:24:38 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:54340: 535 Incorrect authentication data (set_id=anaferreras@recuperaciones-mydomain.com)
    2016-04-30 20:24:42 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:54256: 535 Incorrect authentication data (set_id=AB\023)
    2016-04-30 20:24:45 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:54383: 535 Incorrect authentication data (set_id=anaferreras@recuperaciones-mydomain.com)
    2016-04-30 20:26:10 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:55394: 535 Incorrect authentication data (set_id=postmaster@mydomain.net)
    2016-04-30 20:26:36 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:54428: 535 Incorrect authentication data
    2016-04-30 20:31:27 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:60035: 535 Incorrect authentication data (set_id=katarina)
    2016-04-30 20:31:34 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:60064: 535 Incorrect authentication data (set_id=katarina)
    2016-04-30 20:31:45 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:60173: 535 Incorrect authentication data (set_id=katarina)
    2016-04-30 20:32:02 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:60351: 535 Incorrect authentication data
    2016-04-30 20:32:13 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:60426: 535 Incorrect authentication data
    2016-04-30 20:32:21 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:60761: 535 Incorrect authentication data (set_id=katarina)
    2016-04-30 20:32:24 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:60525: 535 Incorrect authentication data
    2016-04-30 20:32:28 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:60805: 535 Incorrect authentication data (set_id=katarina)
    2016-04-30 20:34:26 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:32841: 535 Incorrect authentication data
    2016-04-30 20:39:52 dovecot_login authenticator failed for localhost (srv108.hostname.com) [127.0.0.1]:39799: 535 Incorrect authentication data (set_id=library@mydomain.es)
    
    For the last
    cat /usr/local/cpanel/logs/access_log|grep "30/2016:20:39" result empty

    Apreciate help.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    What about in the domain access logs found under the /usr/local/apache/domlogs directory?

    Thank you.
     
Loading...

Share This Page