Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Help ! ! We are under attack ! Maybe DDOS ??

Discussion in 'Data Protection' started by altomarketing2, Aug 8, 2011.

  1. altomarketing2

    altomarketing2 Well-Known Member

    Joined:
    Oct 8, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    SouthAmerica
    3 of our servers increased the load , so we tail -50 our exim_mainlog and we see:

    HTML:
    2011-08-08 12:41:56 courier_login authenticator failed for (santos-PC) [186.215.40.232]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:56 courier_login authenticator failed for (servcurso) [189.83.22.147]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:56 courier_login authenticator failed for 189-041-107-164.xd-dynamic.ctbcnetsuper.com.br (jepneus03) [189.41.107.164]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:56 courier_login authenticator failed for (santos-PC) [186.215.40.232]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:56 courier_login authenticator failed for (paradise_pc) [200.77.21.116]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:57 courier_login authenticator failed for (Anderson-PC) [177.25.28.175]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:57 courier_login authenticator failed for (servcurso) [189.83.22.147]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:58 courier_login authenticator failed for 80-178-114-200.fibertel.com.ar (Server) [200.114.178.80]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:58 courier_login authenticator failed for 80-178-114-200.fibertel.com.ar (Server) [200.114.178.80]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:59 courier_login authenticator failed for (marcia-5ac49c0f) [189.13.205.150]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:59 courier_login authenticator failed for (paradise_pc) [200.77.21.116]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:59 courier_login authenticator failed for (CAJA) [190.24.245.217]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:00 courier_login authenticator failed for (marcia-5ac49c0f) [189.13.205.150]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:00 courier_login authenticator failed for (Agromix_PC) [200.125.109.19]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:00 courier_login authenticator failed for (Agromix_PC) [200.125.109.19]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:00 courier_login authenticator failed for (CAJA) [190.24.245.217]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:00 courier_login authenticator failed for (desktop) [190.189.29.180]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:01 courier_login authenticator failed for (desktop) [190.189.29.180]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:01 courier_login authenticator failed for 189-69-129-174.dial-up.telesp.net.br (gustavo-PC) [189.69.129.174]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:02 courier_login authenticator failed for (Hernan-PC) [190.29.5.57]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:03 courier_login authenticator failed for (Hernan-PC) [190.29.5.57]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:03 courier_login authenticator failed for 189-69-129-174.dial-up.telesp.net.br (gustavo-PC) [189.69.129.174]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:07 courier_login authenticator failed for 20158169060.user.veloxzone.com.br (user) [201.58.169.60]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:08 courier_login authenticator failed for 20158169060.user.veloxzone.com.br (user) [201.58.169.60]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:08 courier_login authenticator failed for (SECRETARIA) [186.115.239.68]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:08 courier_login authenticator failed for (asr-c9a45cb6f98) [187.119.111.113]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:09 courier_login authenticator failed for (auxcompras) [200.6.177.118]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:09 courier_login authenticator failed for (SECRETARIA) [186.115.239.68]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:09 courier_login authenticator failed for (Omar) [190.55.159.183]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:09 courier_login authenticator failed for (Omar) [190.55.159.183]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:09 courier_login authenticator failed for (asr-c9a45cb6f98) [187.119.111.113]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    As you can see we are having several sending tries from different countries/ips , how can i stop them ?

    we have csf-lfd installed and cliente@customer.net.ar (example) is the email that are trying to use to send spam, it is a valid email in this server.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,168
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Is CSF perm blocking these fails? If this was indeed an DDoS attack you won't have much luck on your end stopping it, you'll need to contact your DC for assistance.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. altomarketing2

    altomarketing2 Well-Known Member

    Joined:
    Oct 8, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    SouthAmerica
    CSF is temporary blocking this as we configured it, should we change it ?

    As we have our own rack in DC, they dont give us so much help... i will
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,168
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Sure they will, ask them. All traffic goes thru their hardware. Temp block should be changed to perm block, yes, of course.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. jhonnyweb

    jhonnyweb Registered

    Joined:
    Jul 31, 2009
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    51
    Hola altomarketing2, estoy teniendo un problema muy similar al tuyo, quisiera saber que solución encontraste al mismo!!

    Desde ya muchas! gracias! ;)

    Saludos
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice