Mysterious login maillog message

[epanagio]

I have been alerted of spam being sent from one of my servers and I looked in the /var/log/maillog and saw the following strange messages:

dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__mvncp8iylhljil6v7dkmkenkzcecde1gflj456nsipiwqf...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

also

dovecot: imap-login: Disconnected (no auth attempts): rip=198.20.99.130, lip=68.233.34.83, TLS: Disconnected

I also saw many, many messages like:

dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<[email protected]>, method=PLAIN, rip=202.107.225.31, lip=68.233.34.86

The following message scares me the most because looks like someone logged in:

dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__mvncp8iylhljil6v7dkmkenkzcecde1gflj456nsipiwqf...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

HELP!

 

[ThinIce]

I'm sure someone will correct me if I'm wrong, but iirc the cpanel__service__auth__imap entry is cPanel monitoring the imap service to ensure it is working.

The pop3-login example is an attempt to find accounts to login to / brute force, unrelated to the above.

 

[epanagio]

Thanks for taking the time to answer my question.

 

[cPanelMichael]

Hello

Yes, those are simply access attempts by Chkservd to ensure the service is running. If you want to determine the source of SPAM, I recommend checking the following log file:

/var/log/exim_mainlog

You can search this log file using the "exigrep" utility in order to search for specific email addresses or message subjects. It should help you to determine which account the SPAM is originating form.

Thank you.

 

[epanagio]

I looked in

/var/log/exim_manlog

and I saw some random email messages that were received from a variety of senders.

I also saw a lot, and I mean a lot of:

2013-09-03 01:55:52 SMTP connection from [202.107.225.31]:56748 lost
2013-09-03 01:55:54 SMTP connection from [202.107.225.31]:57017 (TCP/IP connection count = 1)
2013-09-03 01:55:54 no host name found for IP address 202.107.225.31
2013-09-03 01:55:55 SMTP connection from [202.107.225.31]:57017 lost
2013-09-03 01:55:57 SMTP connection from [202.107.225.31]:57296 (TCP/IP connection count = 1)

I also saw a few

2013-09-03 13:21:45 H=(<my domain name> [198.24.175.151]:1775 F=<[email protected]> rejected RCPT <[email protected]>: Please turn on SMTP Authentication in your mail client. (<my domain name>) [198.24.175.151]:1775 is not permitted to relay through this server without authentication.
2013-09-03 13:21:45 H=(<my domain name>) [198.24.175.151]:1775 Warning: "Detected session with all messages failed"
2013-09-03 13:21:45 H=(<my domain name>) [198.24.175.151]:1775 Warning: "Increment slow_fail_block Ratelimit - (<my domain name>) [198.24.175.151]:1775 because of all messages failed"
2013-09-03 13:21:45 SMTP connection from (<my domain name>) [198.24.175.151]:1775 closed by QUIT

The last message worried me but I am not sure it it is real or not.

 

[cPanelMichael]

You should search this log for the email address that reported your server as sending out SPAM. Simply viewing the full log is going to output a large amount of data.

Thank you.