How do they find this stuff

keat63

Well-Known Member
Nov 20, 2014
1,854
226
93
cPanel Access Level
Root Administrator
I asked this before and never really got a definitive answer.

This weekend I see a few failed login attempts on email.
Whats worrying is that both these email accounts actually exist on this small private domain, neither of them have ever have been advertised, and one of which is highly unconventional, so how did this happen. ?
How did these email accounts get leaked ?

2016-05-29 20:30:23 dovecot_plain authenticator failed for 41.254.x.xx.zte-tip.wimax.dynamic.ltt.ly (mail.mydomain.co.uk) [41.254.x.xx]:29900: 535 Incorrect authentication data (set_id=j)
2016-05-29 20:30:31 dovecot_plain authenticator failed for 41.254.x.xx.zte-tip.wimax.dynamic.ltt.ly (mail.mydomain.co.uk) [41.254.x.xx]:29900: 535 Incorrect authentication data (set_id=j)
2016-05-29 20:30:39 dovecot_plain authenticator failed for 41.254.x.xx.zte-tip.wimax.dynamic.ltt.ly (mail.mydomain.co.uk) [41.254.x.xx]:29900: 535 Incorrect authentication data (set_id=hollie)
 
Last edited:

keat63

Well-Known Member
Nov 20, 2014
1,854
226
93
cPanel Access Level
Root Administrator
This I guess I could accept, if I were seeing failed logins for names which didn't exist, ie fred, bill, mary, accounts, sales, etc but I don't.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,205
363
Hello,

Were you able to scan additional logs on this system for that IP address to see if it has accessed additional services on the server?

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,205
363
You could search for that IP address in /usr/local/apache/logs/error_log, /usr/local/cpanel/logs/access_log, or /usr/local/apache/domlogs/* to see if any other instances of that IP address exist. The idea is to see if it's an actual user on your system as opposed to a hacker.

Thank you.