[Dovecot] dovecot under attack
Jon Slater
jon.slater at mesanetworks.net
Sat Jun 16 17:10:43 EEST 2007
Hi,
I’ve posted this before but no one was able to help. I can’t figure out
what they are trying to do, and if I should be concerned.
I am running dovecot version 0.99.14 on Fedora Core 4. It appears that my
dovecot server is under attack. This morning in my system e-mail I saw
this:
dovecot:
Authentication Failures:
rhost= : 23431 Time(s)
adm: 33 Time(s)
bin: 33 Time(s)
mail: 33 Time(s)
mysql: 21 Time(s)
nobody: 15 Time(s)
news: 14 Time(s)
operator: 8 Time(s)
sshd: 2 Time(s)
Unknown Entries:
check pass; user unknown: 23431 Time(s)
But, when I check my log files I can’t find an IP address for the attacker.
So, for example, if I search my logs for “operator” I see:
./messages:Jun 15 23:30:56 lambdacenter dovecot(pam_unix)[15512]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator
./messages:Jun 15 23:31:00 lambdacenter dovecot(pam_unix)[15670]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator
./messages:Jun 15 23:31:16 lambdacenter dovecot(pam_unix)[16332]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator
./messages:Jun 15 23:31:20 lambdacenter dovecot(pam_unix)[16480]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator
./messages:Jun 15 23:31:27 lambdacenter dovecot(pam_unix)[16695]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator
./messages:Jun 15 23:31:38 lambdacenter dovecot(pam_unix)[16884]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator
./messages:Jun 15 23:31:55 lambdacenter dovecot(pam_unix)[17080]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator
./messages:Jun 15 23:32:11 lambdacenter dovecot(pam_unix)[17182]:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=operator
./audit/audit.log:type=USER_AUTH msg=audit(1181971858.967:156312): user
pid=15512 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=?
result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181971862.772:156382): user
pid=15670 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=?
result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181971878.710:156707): user
pid=16332 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=?
result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181971882.379:156775): user
pid=16480 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=?
result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181971908.712:156879): user
pid=16695 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=?
result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181972032.080:156904): user
pid=16884 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=?
result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181972047.607:156917): user
pid=17080 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=?
result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181972066.325:156928): user
pid=17182 uid=0 auid=4294967295 msg='PAM authentication: user=operator
exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=?
result=Authentication failure)'
I’ve checked my snmplog for port activity on port 110 (for POP3) and 143
(for IMAP), but I don’t see anything unusual. I also systematically
filtered out everything I knew was okay (ssh, and httpd) .
Does anyone know what this is? Or someone I could ask?
Thanks!!!!!!!!!!!!!!!!!!!!
Jon
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.472 / Virus Database: 269.8.17/850 - Release Date: 6/15/2007
11:31 AM
More information about the dovecot
mailing list