The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How do they find this stuff

Discussion in 'E-mail Discussions' started by keat63, May 31, 2016.

  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I asked this before and never really got a definitive answer.

    This weekend I see a few failed login attempts on email.
    Whats worrying is that both these email accounts actually exist on this small private domain, neither of them have ever have been advertised, and one of which is highly unconventional, so how did this happen. ?
    How did these email accounts get leaked ?

    2016-05-29 20:30:23 dovecot_plain authenticator failed for 41.254.x.xx.zte-tip.wimax.dynamic.ltt.ly (mail.mydomain.co.uk) [41.254.x.xx]:29900: 535 Incorrect authentication data (set_id=j)
    2016-05-29 20:30:31 dovecot_plain authenticator failed for 41.254.x.xx.zte-tip.wimax.dynamic.ltt.ly (mail.mydomain.co.uk) [41.254.x.xx]:29900: 535 Incorrect authentication data (set_id=j)
    2016-05-29 20:30:39 dovecot_plain authenticator failed for 41.254.x.xx.zte-tip.wimax.dynamic.ltt.ly (mail.mydomain.co.uk) [41.254.x.xx]:29900: 535 Incorrect authentication data (set_id=hollie)
     
    #1 keat63, May 31, 2016
    Last edited: May 31, 2016
  2. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    because your domain resolves and exists that is how the get it all they are doing is stabbing in the dark with a dictionary attack
     
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    This I guess I could accept, if I were seeing failed logins for names which didn't exist, ie fred, bill, mary, accounts, sales, etc but I don't.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Were you able to scan additional logs on this system for that IP address to see if it has accessed additional services on the server?

    Thank you.
     
  5. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    can you suggest any other logs to look at ?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You could search for that IP address in /usr/local/apache/logs/error_log, /usr/local/cpanel/logs/access_log, or /usr/local/apache/domlogs/* to see if any other instances of that IP address exist. The idea is to see if it's an actual user on your system as opposed to a hacker.

    Thank you.
     
Loading...

Share This Page