The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help ! ! We are under attack ! Maybe DDOS ??

Discussion in 'Data Protection' started by altomarketing2, Aug 8, 2011.

  1. altomarketing2

    altomarketing2 Well-Known Member

    Joined:
    Oct 8, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    SouthAmerica
    3 of our servers increased the load , so we tail -50 our exim_mainlog and we see:

    HTML:
    2011-08-08 12:41:56 courier_login authenticator failed for (santos-PC) [186.215.40.232]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:56 courier_login authenticator failed for (servcurso) [189.83.22.147]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:56 courier_login authenticator failed for 189-041-107-164.xd-dynamic.ctbcnetsuper.com.br (jepneus03) [189.41.107.164]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:56 courier_login authenticator failed for (santos-PC) [186.215.40.232]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:56 courier_login authenticator failed for (paradise_pc) [200.77.21.116]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:57 courier_login authenticator failed for (Anderson-PC) [177.25.28.175]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:57 courier_login authenticator failed for (servcurso) [189.83.22.147]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:58 courier_login authenticator failed for 80-178-114-200.fibertel.com.ar (Server) [200.114.178.80]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:58 courier_login authenticator failed for 80-178-114-200.fibertel.com.ar (Server) [200.114.178.80]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:59 courier_login authenticator failed for (marcia-5ac49c0f) [189.13.205.150]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:59 courier_login authenticator failed for (paradise_pc) [200.77.21.116]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:41:59 courier_login authenticator failed for (CAJA) [190.24.245.217]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:00 courier_login authenticator failed for (marcia-5ac49c0f) [189.13.205.150]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:00 courier_login authenticator failed for (Agromix_PC) [200.125.109.19]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:00 courier_login authenticator failed for (Agromix_PC) [200.125.109.19]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:00 courier_login authenticator failed for (CAJA) [190.24.245.217]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:00 courier_login authenticator failed for (desktop) [190.189.29.180]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:01 courier_login authenticator failed for (desktop) [190.189.29.180]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:01 courier_login authenticator failed for 189-69-129-174.dial-up.telesp.net.br (gustavo-PC) [189.69.129.174]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:02 courier_login authenticator failed for (Hernan-PC) [190.29.5.57]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:03 courier_login authenticator failed for (Hernan-PC) [190.29.5.57]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:03 courier_login authenticator failed for 189-69-129-174.dial-up.telesp.net.br (gustavo-PC) [189.69.129.174]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:07 courier_login authenticator failed for 20158169060.user.veloxzone.com.br (user) [201.58.169.60]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:08 courier_login authenticator failed for 20158169060.user.veloxzone.com.br (user) [201.58.169.60]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:08 courier_login authenticator failed for (SECRETARIA) [186.115.239.68]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:08 courier_login authenticator failed for (asr-c9a45cb6f98) [187.119.111.113]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:09 courier_login authenticator failed for (auxcompras) [200.6.177.118]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:09 courier_login authenticator failed for (SECRETARIA) [186.115.239.68]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:09 courier_login authenticator failed for (Omar) [190.55.159.183]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:09 courier_login authenticator failed for (Omar) [190.55.159.183]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    2011-08-08 12:42:09 courier_login authenticator failed for (asr-c9a45cb6f98) [187.119.111.113]: 535 Incorrect authentication data (set_id=cliente@customer.net.ar)
    As you can see we are having several sending tries from different countries/ips , how can i stop them ?

    we have csf-lfd installed and cliente@customer.net.ar (example) is the email that are trying to use to send spam, it is a valid email in this server.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,466
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Is CSF perm blocking these fails? If this was indeed an DDoS attack you won't have much luck on your end stopping it, you'll need to contact your DC for assistance.
     
  3. altomarketing2

    altomarketing2 Well-Known Member

    Joined:
    Oct 8, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    SouthAmerica
    CSF is temporary blocking this as we configured it, should we change it ?

    As we have our own rack in DC, they dont give us so much help... i will
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,466
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Sure they will, ask them. All traffic goes thru their hardware. Temp block should be changed to perm block, yes, of course.
     
  5. jhonnyweb

    jhonnyweb Registered

    Joined:
    Jul 31, 2009
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Hola altomarketing2, estoy teniendo un problema muy similar al tuyo, quisiera saber que solución encontraste al mismo!!

    Desde ya muchas! gracias! ;)

    Saludos
     
Loading...

Share This Page