The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mysterious login maillog message

Discussion in 'E-mail Discussions' started by epanagio, Sep 4, 2013.

  1. epanagio

    epanagio Well-Known Member

    Joined:
    May 26, 2012
    Messages:
    50
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Website Owner
    I have been alerted of spam being sent from one of my servers and I looked in the /var/log/maillog and saw the following strange messages:

    dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__mvncp8iylhljil6v7dkmkenkzcecde1gflj456nsipiwqf...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

    also

    dovecot: imap-login: Disconnected (no auth attempts): rip=198.20.99.130, lip=68.233.34.83, TLS: Disconnected

    I also saw many, many messages like:

    dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<public@68>, method=PLAIN, rip=202.107.225.31, lip=68.233.34.86

    The following message scares me the most because looks like someone logged in:

    dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__mvncp8iylhljil6v7dkmkenkzcecde1gflj456nsipiwqf...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

    HELP!
     
  2. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    I'm sure someone will correct me if I'm wrong, but iirc the cpanel__service__auth__imap entry is cPanel monitoring the imap service to ensure it is working.

    The pop3-login example is an attempt to find accounts to login to / brute force, unrelated to the above.
     
  3. epanagio

    epanagio Well-Known Member

    Joined:
    May 26, 2012
    Messages:
    50
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Website Owner
    Thanks for taking the time to answer my question.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,733
    Likes Received:
    661
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Yes, those are simply access attempts by Chkservd to ensure the service is running. If you want to determine the source of SPAM, I recommend checking the following log file:

    Code:
    /var/log/exim_mainlog
    You can search this log file using the "exigrep" utility in order to search for specific email addresses or message subjects. It should help you to determine which account the SPAM is originating form.

    Thank you.
     
  5. epanagio

    epanagio Well-Known Member

    Joined:
    May 26, 2012
    Messages:
    50
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Website Owner
    I looked in
    and I saw some random email messages that were received from a variety of senders.

    I also saw a lot, and I mean a lot of:
    I also saw a few
    The last message worried me but I am not sure it it is real or not.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,733
    Likes Received:
    661
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You should search this log for the email address that reported your server as sending out SPAM. Simply viewing the full log is going to output a large amount of data.

    Thank you.
     
Loading...

Share This Page