What does this mean? IMAP logwatch question

FourMat

Active Member
Jun 10, 2004
36
0
156
Hello,

In my daily logwatch email I have received the following notice concerning my IMAP connections

Code:
Connections:
   Service imap:
      70.84.241.130: 3 Time(s)
      127.0.0.1: 150 Time(s)
This is the first time that I have been gettting a connection from anything other than the localhost. I'm afraid that a spammer has cracked my machine. should I be worried about this? If so, what can I do to trace this connections, and or find out how they got in and fix it.

Thanks for the help.

FourMat
 

hostseeker

Well-Known Member
Sep 4, 2001
86
0
306
Did you ever get an answer to this? I started getting them also from several IP's that I don't know.

Code:
 --------------------- Connections (secure-log) Begin ------------------------ 


Connections:
   Service imap:
      24.36.238.52: 5 Time(s)
      127.0.0.1: 274 Time(s)
      169.237.108.32: 5 Time(s)
      200.208.136.70: 5 Time(s)
      202.124.160.145: 5 Time(s)
      207.190.185.106: 5 Time(s)
      208.3.94.40: 5 Time(s)

 ---------------------- Connections (secure-log) End -------------------------
 

FourMat

Active Member
Jun 10, 2004
36
0
156
I never did get an answer from anyone on this.

I have a theory that I haven't proven out yet though. The IP's in question from were from overseas, and I have a client who travels overseas and uses the webmail interface. I think that webmail uses IMAP, and therefore registers the IP of the person who connected. I guess to prove it we could connect to webmail and look at the log files tomorrow. I could be totally off base, but barring help from other knowledgable people it's the best I have right now....

Anyone else want to weigh in on this one? Thanks.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,453
31
473
Go on, have a guess
You're quite right. The webmail apps that come with cPanel do indeed use IMAP. Also, your clients could be using IMAP instead of POP3 to access their email - they could also be from port scans or other connections - it's not logging logins, only connections. The localhost entries (127.0.0.1) are simply chkservd making sure that IMAP is running.
 

hostseeker

Well-Known Member
Sep 4, 2001
86
0
306
I use APF and BFT so am I right in assuming that after 5 connections my system blocks them?

Else why would IP number connections stop at 5?

Also most of the IP's are foreign counties and all my customers are domestic.

Should I block those IP's in the hosts_deny? Or should they already be blocked somewhere?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,453
31
473
Go on, have a guess
BFD's trigger level is set in the rules files in /var/local/bfd/rules/* and typically they're set to 5. Since BFD is clearly doing its job, you don't need to worry about it :)
 

rogcan

Well-Known Member
Jun 7, 2004
48
0
156
I have about 3000 of these in a row.....

Should i be concearned about this ?? if so, what should i be doing ??

Illegal user book from 65.254.39.146
Illegal user book from 65.254.39.146
Illegal user book from 65.254.39.146
Illegal user born from 65.254.39.146
Illegal user boob from 65.254.39.146
Illegal user born from 65.254.39.146
Illegal user born from 65.254.39.146
Illegal user born from 65.254.39.146
Illegal user boyscout from 65.254.39.146
Illegal user boobs from 65.254.39.146
Illegal user boyscout from 65.254.39.146
Illegal user boyscout from 65.254.39.146
Illegal user boyscout from 65.254.39.146
Illegal user bradley from 65.254.39.146
Illegal user book from 65.254.39.146
Illegal user bradley from 65.254.39.146
Illegal user bradley from 65.254.39.146
Illegal user bradley from 65.254.39.146
Illegal user brandi from 65.254.39.146
Illegal user born from 65.254.39.146
Illegal user brandi from 65.254.39.146
Illegal user brandi from 65.254.39.146
Illegal user brandi from 65.254.39.146
Illegal user brandy from 65.254.39.146
Illegal user boyscout from 65.254.39.146
Illegal user brandy from 65.254.39.146
Illegal user brandy from 65.254.39.146
Illegal user brandy from 65.254.39.146
Illegal user bravo from 65.254.39.146
Illegal user bradley from 65.254.39.146
Illegal user bravo from 65.254.39.146
Illegal user bravo from 65.254.39.146
Illegal user bravo from 65.254.39.146
Illegal user break from 65.254.39.146
Illegal user break from 65.254.39.146
Illegal user brandi from 65.254.39.146
Illegal user break from 65.254.39.146
Illegal user break from 65.254.39.146
Illegal user breast from 65.254.39.146
Illegal user breast from 65.254.39.146
Illegal user brandy from 65.254.39.146
Illegal user breast from 65.254.39.146
Illegal user breast from 65.254.39.146
Illegal user brenda from 65.254.39.146
Illegal user bravo from 65.254.39.146
Illegal user brenda from 65.254.39.146
Illegal user brenda from 65.254.39.146
Illegal user brenda from 65.254.39.146
Illegal user brian from 65.254.39.146
Illegal user break from 65.254.39.146
Illegal user brian from 65.254.39.146
Illegal user brian from 65.254.39.146
Illegal user brian from 65.254.39.146
Illegal user bridget from 65.254.39.146
Illegal user bridget from 65.254.39.146
Illegal user breast from 65.254.39.146
Illegal user bridget from 65.254.39.146
Illegal user bridget from 65.254.39.146
Illegal user broadway from 65.254.39.146
Illegal user broadway from 65.254.39.146
Illegal user brenda from 65.254.39.146
Illegal user broadway from 65.254.39.146
Illegal user broadway from 65.254.39.146
Illegal user brothel from 65.254.39.146
Illegal user brothel from 65.254.39.146
Illegal user brian from 65.254.39.146
Illegal user brothel from 65.254.39.146
Illegal user brothel from 65.254.39.146
Illegal user brunette from 65.254.39.146
Illegal user brunette from 65.254.39.146
Illegal user bridget from 65.254.39.146
Illegal user brunette from 65.254.39.146
Illegal user brunette from 65.254.39.146
Illegal user brute from 65.254.39.146
Illegal user brute from 65.254.39.146
Illegal user broadway from 65.254.39.146

*** Goes like this all the way from A to Z ***
 

MMarko

Well-Known Member
Apr 18, 2005
316
0
166
Dictionary brute force attack. Change default ports and install BFD, and do a little search on this forum.
 

verdon

Well-Known Member
Nov 1, 2003
919
11
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
chirpy said:
You're quite right. The webmail apps that come with cPanel do indeed use IMAP. Also, your clients could be using IMAP instead of POP3 to access their email - they could also be from port scans or other connections - it's not logging logins, only connections. The localhost entries (127.0.0.1) are simply chkservd making sure that IMAP is running.
I updated logwatch using some instructions I found on Chirpy's blog and find the new report provides a bit better detail on IMAP connections