Hi Jon,

I cannot help with the specific question, but in my opinion, your first and primary goal should be to get that server updated to 1.0.1 asap...

0.99.x is no longer supported - and *very* dated...

Jon Slater wrote:

Hi,

I’ve posted this before but no one was able to help. I can’t figure out what they are trying to do, and if I should be concerned.

I am running dovecot version 0.99.14 on Fedora Core 4. It appears that my dovecot server is under attack. This morning in my system e-mail I saw this:

 dovecot:

     Authentication Failures:

         rhost= : 23431 Time(s)

        adm: 33 Time(s)

        bin: 33 Time(s)

        mail: 33 Time(s)

        mysql: 21 Time(s)

        nobody: 15 Time(s)

        news: 14 Time(s)

        operator: 8 Time(s)

        sshd: 2 Time(s)

     Unknown Entries:

        check pass; user unknown: 23431 Time(s)

But, when I check my log files I can’t find an IP address for the attacker. So, for example, if I search my logs for “operator” I see:

./messages:Jun 15 23:30:56 lambdacenter dovecot(pam_unix)[15512]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=operator

./messages:Jun 15 23:31:00 lambdacenter dovecot(pam_unix)[15670]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=operator

./messages:Jun 15 23:31:16 lambdacenter dovecot(pam_unix)[16332]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=operator

./messages:Jun 15 23:31:20 lambdacenter dovecot(pam_unix)[16480]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=operator

./messages:Jun 15 23:31:27 lambdacenter dovecot(pam_unix)[16695]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=operator

./messages:Jun 15 23:31:38 lambdacenter dovecot(pam_unix)[16884]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=operator

./messages:Jun 15 23:31:55 lambdacenter dovecot(pam_unix)[17080]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=operator

./messages:Jun 15 23:32:11 lambdacenter dovecot(pam_unix)[17182]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=operator

./audit/audit.log:type=USER_AUTH msg=audit(1181971858.967:156312): user pid=15512 uid=0 auid=4294967295 msg='PAM authentication: user=operator exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181971862.772:156382): user pid=15670 uid=0 auid=4294967295 msg='PAM authentication: user=operator exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181971878.710:156707): user pid=16332 uid=0 auid=4294967295 msg='PAM authentication: user=operator exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181971882.379:156775): user pid=16480 uid=0 auid=4294967295 msg='PAM authentication: user=operator exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181971908.712:156879): user pid=16695 uid=0 auid=4294967295 msg='PAM authentication: user=operator exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181972032.080:156904): user pid=16884 uid=0 auid=4294967295 msg='PAM authentication: user=operator exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181972047.607:156917): user pid=17080 uid=0 auid=4294967295 msg='PAM authentication: user=operator exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? result=Authentication failure)'

./audit/audit.log:type=USER_AUTH msg=audit(1181972066.325:156928): user pid=17182 uid=0 auid=4294967295 msg='PAM authentication: user=operator exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=? result=Authentication failure)'

I’ve checked my snmplog for port activity on port 110 (for POP3) and 143 (for IMAP), but I don’t see anything unusual. I also systematically filtered out everything I knew was okay (ssh, and httpd) .

Does anyone know what this is? Or someone I could ask?

Thanks!!!!!!!!!!!!!!!!!!!!

Jon

No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.472 / Virus Database: 269.8.17/850 - Release Date: 6/15/2007 11:31 AM