The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Should I ban this ip? (secure log)

Discussion in 'General Discussion' started by goodgbb, Sep 30, 2005.

  1. goodgbb

    goodgbb Well-Known Member

    Joined:
    Aug 15, 2005
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Thailand
    Should I ban this ip? (secure log)

    #secure logs
    Sep 29 12:08:52 server xinetd[24892]: START: imap pid=21310 from=210.137.108.3


    Thank You
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's entirely up to you.
     
  3. novice07

    novice07 Member

    Joined:
    Mar 29, 2008
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    I have the same problem.

    Apr 6 04:29:20 server xinetd[3030]: START: auth pid=9974 from=148.160.16.68
    Since this is not our ip.Is someone gaining access and hacking in to the server?
    I'm not much of an expert with xinetd.

    Normaly we wold get
    Apr 6 05:03:01 server xinetd[3030]: START: auth pid=12394 from=127.0.0.1


    Is someone from outside our server running a proccess?
     
  4. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Isn't this just someone using an imap client thats not on your server ?
     
  5. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    novice07 - Did you really have to reopen a three year old post to make this comment??
     
  6. novice07

    novice07 Member

    Joined:
    Mar 29, 2008
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    I'm sorry but I have searched on the forum before posting and this is the only post I have found regarding my problem.
    I'm worried that some one is authetificating from outside my server and it's not my clients.


    I check the ips with a whois tool, they originate from outside my country.The problem is that I do not offer international hosting, All the people that I host are from my city.

    This is just today, there are always 2 or 3 ips per day originating from all across europe, this led me to beilive that some one is using a poxy list to get in.

    I had a blog on my site for support and now it's full of spam.I checked my logs and some one is trying to brake in via ssh by brute force, each time he is blocked after trying 3 times. That does not stop this person from trying with a diferent ip.I have disabled ssh V.1
    , disabled telnet, changed the port and the ip for ssh but now I'm afraid that he has found a way to get in.

    This is what I get in my log.This are ips that are not even from my country.
    Apr 6 04:29:20 server xinetd[3030]: START: auth pid=9974 from=148.160.16.68
    Apr 6 04:43:28 server xinetd[3030]: START: auth pid=11017 from=193.226.125.9
    Apr 6 17:27:49 server xinetd[19048]: START: auth pid=2170 from=65.19.147.89
    Apr 6 18:28:06 server xinetd[19048]: START: auth pid=6495 from=212.160.225.3

    What does this mean?
     
    #6 novice07, Apr 6, 2008
    Last edited: Apr 6, 2008
Loading...

Share This Page