The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What does this mean? IMAP logwatch question

Discussion in 'General Discussion' started by FourMat, Feb 14, 2005.

  1. FourMat

    FourMat Active Member

    Joined:
    Jun 10, 2004
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    In my daily logwatch email I have received the following notice concerning my IMAP connections

    Code:
    Connections:
       Service imap:
          70.84.241.130: 3 Time(s)
          127.0.0.1: 150 Time(s)
    This is the first time that I have been gettting a connection from anything other than the localhost. I'm afraid that a spammer has cracked my machine. should I be worried about this? If so, what can I do to trace this connections, and or find out how they got in and fix it.

    Thanks for the help.

    FourMat
     
  2. hostseeker

    hostseeker Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Did you ever get an answer to this? I started getting them also from several IP's that I don't know.

    Code:
     --------------------- Connections (secure-log) Begin ------------------------ 
    
    
    Connections:
       Service imap:
          24.36.238.52: 5 Time(s)
          127.0.0.1: 274 Time(s)
          169.237.108.32: 5 Time(s)
          200.208.136.70: 5 Time(s)
          202.124.160.145: 5 Time(s)
          207.190.185.106: 5 Time(s)
          208.3.94.40: 5 Time(s)
    
     ---------------------- Connections (secure-log) End ------------------------- 
    
    
     
  3. FourMat

    FourMat Active Member

    Joined:
    Jun 10, 2004
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    I never did get an answer from anyone on this.

    I have a theory that I haven't proven out yet though. The IP's in question from were from overseas, and I have a client who travels overseas and uses the webmail interface. I think that webmail uses IMAP, and therefore registers the IP of the person who connected. I guess to prove it we could connect to webmail and look at the log files tomorrow. I could be totally off base, but barring help from other knowledgable people it's the best I have right now....

    Anyone else want to weigh in on this one? Thanks.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You're quite right. The webmail apps that come with cPanel do indeed use IMAP. Also, your clients could be using IMAP instead of POP3 to access their email - they could also be from port scans or other connections - it's not logging logins, only connections. The localhost entries (127.0.0.1) are simply chkservd making sure that IMAP is running.
     
  5. hostseeker

    hostseeker Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    I use APF and BFT so am I right in assuming that after 5 connections my system blocks them?

    Else why would IP number connections stop at 5?

    Also most of the IP's are foreign counties and all my customers are domestic.

    Should I block those IP's in the hosts_deny? Or should they already be blocked somewhere?
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    BFD's trigger level is set in the rules files in /var/local/bfd/rules/* and typically they're set to 5. Since BFD is clearly doing its job, you don't need to worry about it :)
     
  7. rogcan

    rogcan Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    I have about 3000 of these in a row.....

    Should i be concearned about this ?? if so, what should i be doing ??

    Illegal user book from 65.254.39.146
    Illegal user book from 65.254.39.146
    Illegal user book from 65.254.39.146
    Illegal user born from 65.254.39.146
    Illegal user boob from 65.254.39.146
    Illegal user born from 65.254.39.146
    Illegal user born from 65.254.39.146
    Illegal user born from 65.254.39.146
    Illegal user boyscout from 65.254.39.146
    Illegal user boobs from 65.254.39.146
    Illegal user boyscout from 65.254.39.146
    Illegal user boyscout from 65.254.39.146
    Illegal user boyscout from 65.254.39.146
    Illegal user bradley from 65.254.39.146
    Illegal user book from 65.254.39.146
    Illegal user bradley from 65.254.39.146
    Illegal user bradley from 65.254.39.146
    Illegal user bradley from 65.254.39.146
    Illegal user brandi from 65.254.39.146
    Illegal user born from 65.254.39.146
    Illegal user brandi from 65.254.39.146
    Illegal user brandi from 65.254.39.146
    Illegal user brandi from 65.254.39.146
    Illegal user brandy from 65.254.39.146
    Illegal user boyscout from 65.254.39.146
    Illegal user brandy from 65.254.39.146
    Illegal user brandy from 65.254.39.146
    Illegal user brandy from 65.254.39.146
    Illegal user bravo from 65.254.39.146
    Illegal user bradley from 65.254.39.146
    Illegal user bravo from 65.254.39.146
    Illegal user bravo from 65.254.39.146
    Illegal user bravo from 65.254.39.146
    Illegal user break from 65.254.39.146
    Illegal user break from 65.254.39.146
    Illegal user brandi from 65.254.39.146
    Illegal user break from 65.254.39.146
    Illegal user break from 65.254.39.146
    Illegal user breast from 65.254.39.146
    Illegal user breast from 65.254.39.146
    Illegal user brandy from 65.254.39.146
    Illegal user breast from 65.254.39.146
    Illegal user breast from 65.254.39.146
    Illegal user brenda from 65.254.39.146
    Illegal user bravo from 65.254.39.146
    Illegal user brenda from 65.254.39.146
    Illegal user brenda from 65.254.39.146
    Illegal user brenda from 65.254.39.146
    Illegal user brian from 65.254.39.146
    Illegal user break from 65.254.39.146
    Illegal user brian from 65.254.39.146
    Illegal user brian from 65.254.39.146
    Illegal user brian from 65.254.39.146
    Illegal user bridget from 65.254.39.146
    Illegal user bridget from 65.254.39.146
    Illegal user breast from 65.254.39.146
    Illegal user bridget from 65.254.39.146
    Illegal user bridget from 65.254.39.146
    Illegal user broadway from 65.254.39.146
    Illegal user broadway from 65.254.39.146
    Illegal user brenda from 65.254.39.146
    Illegal user broadway from 65.254.39.146
    Illegal user broadway from 65.254.39.146
    Illegal user brothel from 65.254.39.146
    Illegal user brothel from 65.254.39.146
    Illegal user brian from 65.254.39.146
    Illegal user brothel from 65.254.39.146
    Illegal user brothel from 65.254.39.146
    Illegal user brunette from 65.254.39.146
    Illegal user brunette from 65.254.39.146
    Illegal user bridget from 65.254.39.146
    Illegal user brunette from 65.254.39.146
    Illegal user brunette from 65.254.39.146
    Illegal user brute from 65.254.39.146
    Illegal user brute from 65.254.39.146
    Illegal user broadway from 65.254.39.146

    *** Goes like this all the way from A to Z ***
     
  8. MMarko

    MMarko Well-Known Member

    Joined:
    Apr 18, 2005
    Messages:
    316
    Likes Received:
    0
    Trophy Points:
    16
    Dictionary brute force attack. Change default ports and install BFD, and do a little search on this forum.
     
  9. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    I updated logwatch using some instructions I found on Chirpy's blog and find the new report provides a bit better detail on IMAP connections
     
Loading...

Share This Page