The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

undecipherable characters in exim_mainlog

Discussion in 'Security' started by jols, Sep 20, 2013.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    I am guessing this is some form of DDOS attack, the IPs in question are apparently not sending out email, but we are seeing entires like the following, approximately once every 20 entries:
    Code:
    2013-09-20 20:17:15 SMTP ␌⎺┼┼␊␌├␋⎺┼ °⎼⎺└ [181.67.224.145]:63035 (TCP/IP ␌⎺┼┼␊␌├␋⎺┼ ␌⎺┤┼├ = 8)
    2013-09-20 20:17:15 ┼⎺ ␤⎺⎽├ ┼▒└␊ °⎺┤┼␍ °⎺⎼ IP ▒␍␍⎼␊⎽⎽ 181.67.224.145

    Any ideas what this could be, or what countermeasures we may be able to evoke against this?

    Thanks much.
     
  2. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    UPDATE - I made out a cPanel.net ticket. Response came back that this was the result of some sort of exploit attempt, and some of it may be due to my shell client not being able to properly resolve some of the characters in the log files; to use the "less" command instead of tail. Good advice, but nevertheless these very strange exploit attempts continue. Usually one of the following is included in the log entries in question, but not always:

    too many unrecognized commands

    or

    too many syntax or protocol errors

    Such exploits are now coming in hot and heavy on two of our servers, in some cases causing email delivery to be delayed. I have cobbled together a shell script to "look for" either of the above phrases in exim_mainlog, and then block the IP in the same log entry. But this is purely a Bandaid approach. So I am wondering if there is something a bit further up the chain that we could do, i.e. before Exim even has a chance to reject this nonsense. In other words, I'd certainly like to block these attempts before they start taxing the Exim system. Anyone?
     
    #2 jols, Sep 22, 2013
    Last edited: Sep 22, 2013
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Thanks much.

    I tried the suggestion listed in Sustained Exim Attack, but for me at least this had absolutely no effect.

    The other suggestion pertains more to keeping the log file small, which is not much of an issue on our case.

    What I ended up doing, was cobbling together a script to "look for" certain phrases in the exim_mainlog, and then blocking the IP address in the same log entry. However, this kind of reactive, rather than preventative approach is not very appealing.

    Thanks again.
     

Share This Page