The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Problems?

Discussion in 'E-mail Discussions' started by RegDCP, Feb 14, 2011.

  1. RegDCP

    RegDCP Member

    Joined:
    Mar 13, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    I am getting logwatch reports that have entries:
    LOGIN, user=cpanel@localhost, ip=[::ffff:127.0.0.1], port=[25927], protocol=IMAP: 1 Time(s)
    LOGIN, user=cpanel@localhost, ip=[::ffff:127.0.0.1], port=[25967], protocol=IMAP: 1 Time(s)
    LOGIN, user=cpanel@localhost, ip=[::ffff:127.0.0.1], port=[26024], protocol=IMAP: 1 Time(s)
    LOGIN, user=cpanel@localhost, ip=[::ffff:127.0.0.1], port=[26088], protocol=IMAP: 1 Time(s)
    LOGIN, user=cpanel@localhost, ip=[::ffff:127.0.0.1], port=[26145], protocol=IMAP: 1 Time(s)
    LOGIN, user=cpanel@localhost, ip=[::ffff:127.0.0.1], port=[26210], protocol=IMAP: 1 Time(s)
    LOGIN, user=cpanel@localhost, ip=[::ffff:127.0.0.1], port=[26260], protocol=IMAP: 1 Time(s)
    LOGIN, user=cpanel@localhost, ip=[::ffff:127.0.0.1], port=[26310], protocol=IMAP: 1 Time(s)
    LOGIN, user=cpanel@localhost, ip=[::ffff:127.0.0.1], port=[26379], protocol=IMAP: 1 Time(s)

    And from a couple of clients with their ip addresses which I removed.

    , user=hosted-customer@their-domain.com, ip=[::ffff:removed], port=[49239], protocol=IMAP: 1 Time(s)
    LOGIN, user=hosted-customer@their-domain.com, ip=[::ffff:removed], port=[49241], protocol=IMAP: 1 Time(s)
    LOGIN, user=hosted-customer@their-domain.com, ip=[::ffff:removed], port=[49360], protocol=IMAP: 1 Time(s)
    LOGIN, user=hosted-customer@their-domain.com,, ip=[::ffff:removed], port=[63360], protocol=IMAP: 1 Time(s)


    I also get
    LOGOUT, user=cpanel@localhost, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=12, sent=86, time=0: 114 Time(s)
    LOGOUT, user=cpanel@localhost, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=12, sent=86, time=1: 123 Time(s)
    LOGOUT, user=cpanel@localhost, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=12, sent=86, time=2: 1 Time(s)

    from both localhost and client accounts.

    What is happening and why?

    Any idea what virus it is, if it is a virus?:mad:

    Best,
    Reg
     
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    The cpanel@localhost entries are likely chksrvd checking IMAP to make sure it is up. Timestamps are usually 5 minutes apart between logins.

    What is strange about these? Looks like it is just one of your customers using an email client configured for IMAP access to their mail folders. Although most people use POP3, many people use IMAP -- especially people with smartphones / PDAs.

    M
     
  3. RegDCP

    RegDCP Member

    Joined:
    Mar 13, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Thank you mtindor.
    Is it normal to keep hitting different ports?

    Reg
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    I believe what you are referring to is the source port, which yes is going to be different.

    When LogWatch logs "protocol=IMAP" I think you can assume it means that the destination port was TCP 143. And, 25927 would be the source port of the originator of the packet.

    So, in all your entries the destination port is IMAP (TCP 143).

    Mike
     
  5. RegDCP

    RegDCP Member

    Joined:
    Mar 13, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Thank you Mike.
    I was worried that my client's computers were infected and they were trying to get access to the OS.

    I have about 100 clients but I see only 5 that show this kind of behavior in the log watch.

    Reg
     
Loading...

Share This Page