[Dovecot] dovecot under attack

Jon Slater jon.slater at mesanetworks.net
Sat Jun 16 17:10:43 EEST 2007 

Hi,

 

I’ve posted this before but no one was able to help.  I can’t figure out
what they are trying to do, and if I should be concerned.

 

I am running dovecot version 0.99.14 on Fedora Core 4.  It appears that my
dovecot server is under attack.  This morning in my system e-mail I saw
this:



     dovecot:

         Authentication Failures:

             rhost= : 23431 Time(s)

            adm: 33 Time(s)

            bin: 33 Time(s)

            mail: 33 Time(s)

            mysql: 21 Time(s)

            nobody: 15 Time(s)

            news: 14 Time(s)

            operator: 8 Time(s)

            sshd: 2 Time(s)

         Unknown Entries:

            check pass; user unknown: 23431 Time(s)

 

But, when I check my log files I can’t find an IP address for the attacker.
So, for example, if I search my logs for “operator” I see:

./messages:Jun 15 23:30:56 lambdacenter dovecot(pam_unix)[15512]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator

./messages:Jun 15 23:31:00 lambdacenter dovecot(pam_unix)[15670]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator

./messages:Jun 15 23:31:16 lambdacenter dovecot(pam_unix)[16332]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator

./messages:Jun 15 23:31:20 lambdacenter dovecot(pam_unix)[16480]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator

./messages:Jun 15 23:31:27 lambdacenter dovecot(pam_unix)[16695]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator

./messages:Jun 15 23:31:38 lambdacenter dovecot(pam_unix)[16884]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator

./messages:Jun 15 23:31:55 lambdacenter dovecot(pam_unix)[17080]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator

./messages:Jun 15 23:32:11 lambdacenter dovecot(pam_unix)[17182]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator

./audit/audit.log:type=USER_AUTH msg=audit(1181971858.967:156312): user
pid=15512 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=?
result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181971862.772:156382): user
pid=15670 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=?
result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181971878.710:156707): user
pid=16332 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=?
result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181971882.379:156775): user
pid=16480 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=?
result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181971908.712:156879): user
pid=16695 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=?
result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181972032.080:156904): user
pid=16884 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=?
result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181972047.607:156917): user
pid=17080 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=?
result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181972066.325:156928): user
pid=17182 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=?
result=Authentication failure)'

 

I’ve checked my snmplog for port activity on port 110 (for POP3) and 143
(for IMAP), but I don’t see anything unusual.  I also systematically
filtered out everything I knew was okay (ssh, and httpd) .

 

Does anyone know what this is?  Or someone I could ask?

 

Thanks!!!!!!!!!!!!!!!!!!!!

 

Jon


No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.472 / Virus Database: 269.8.17/850 - Release Date: 6/15/2007
11:31 AM

More information about the dovecot mailing list