Hi Jon,
I cannot help with the specific question, but in my opinion, your first and primary goal should be to get that server updated to 1.0.1 asap...
0.99.x is no longer supported - and *very* dated...
Jon Slater wrote:
Hi,
I’ve posted this before but no one was able to help. I can’t figure out what they are trying to do, and if I should be concerned.
I am running dovecot version 0.99.14 on Fedora Core 4. It appears that my dovecot server is under attack. This morning in my system e-mail I saw this:
dovecot: Authentication Failures: rhost= : 23431 Time(s) adm: 33 Time(s) bin: 33 Time(s) mail: 33 Time(s) mysql: 21 Time(s) nobody: 15 Time(s) news: 14 Time(s) operator: 8 Time(s) sshd: 2 Time(s) Unknown Entries: check pass; user unknown: 23431 Time(s)
But, when I check my log files I can’t find an IP address for the attacker. So, for example, if I search my logs for “operator” I see:
./messages:Jun 15 23:30:56 lambdacenter dovecot(pam_unix)[15512]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=operator
./messages:Jun 15 23:31:00 lambdacenter dovecot(pam_unix)[15670]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=operator
./messages:Jun 15 23:31:16 lambdacenter dovecot(pam_unix)[16332]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=operator
./messages:Jun 15 23:31:20 lambdacenter dovecot(pam_unix)[16480]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=operator
./messages:Jun 15 23:31:27 lambdacenter dovecot(pam_unix)[16695]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=operator
./messages:Jun 15 23:31:38 lambdacenter dovecot(pam_unix)[16884]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=operator
./messages:Jun 15 23:31:55 lambdacenter dovecot(pam_unix)[17080]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=operator
./messages:Jun 15 23:32:11 lambdacenter dovecot(pam_unix)[17182]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=operator
./audit/audit.log:type=USER_AUTH msg=audit(1181971858.967:156312): user pid=15512 uid=0 auid=4294967295 msg='PAM authentication: user=operator exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181971862.772:156382): user pid=15670 uid=0 auid=4294967295 msg='PAM authentication: user=operator exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181971878.710:156707): user pid=16332 uid=0 auid=4294967295 msg='PAM authentication: user=operator exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181971882.379:156775): user pid=16480 uid=0 auid=4294967295 msg='PAM authentication: user=operator exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181971908.712:156879): user pid=16695 uid=0 auid=4294967295 msg='PAM authentication: user=operator exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181972032.080:156904): user pid=16884 uid=0 auid=4294967295 msg='PAM authentication: user=operator exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181972047.607:156917): user pid=17080 uid=0 auid=4294967295 msg='PAM authentication: user=operator exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? result=Authentication failure)'
./audit/audit.log:type=USER_AUTH msg=audit(1181972066.325:156928): user pid=17182 uid=0 auid=4294967295 msg='PAM authentication: user=operator exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? result=Authentication failure)'
I’ve checked my snmplog for port activity on port 110 (for POP3) and 143 (for IMAP), but I don’t see anything unusual. I also systematically filtered out everything I knew was okay (ssh, and httpd) .
Does anyone know what this is? Or someone I could ask?
Thanks!!!!!!!!!!!!!!!!!!!!
Jon
No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.472 / Virus Database: 269.8.17/850 - Release Date: 6/15/2007 11:31 AM