Security: Suspected POP3 Logins

[vvcares]

My server : (Ubuntu16.04, Hestia(25)+ apache2+Nginx+Dovecot+CSF)
Suddenly CSF ConfigFireWall LFD - sent me 30 over emails within a minute.
someone trying to use my POP3 service.
Possible trying to hack system files ?

For time being I disabled POP3 on dovecot.

[vvcares]

`root@MY-SERVER.COM
7:51 PM (26 minutes ago)
to root

Time: Wed Feb 27 19:51:37 2019 +0800
PID: 27387 (Parent PID:32078)
Account: dovenull
Uptime: 87 seconds

Executable:

/usr/lib/dovecot/pop3-login

Command Line (often faked in exploits):
dovecot/pop3-login

Network connections by the process (if any):
tcp: MY-SERVER-IP:110 -> 155.94.137.56:55522

Files open by the process (if any):
/dev/null
/dev/null
/run/dovecot/login-master-notify626138b8d2d6e649 (deleted)
/dev/urandom
anon_inode:[eventpoll]

Memory maps by the process (if any):

557795e42000-557795e47000 r-xp 00000000 fd:01 268221 /usr/lib/dovecot/pop3-login
557796047000-557796048000 r--p 00005000 fd:01 268221 /usr/lib/dovecot/pop3-login
557796048000-557796049000 rw-p 00006000 fd:01 268221 /usr/lib/dovecot/pop3-login
557796849000-557796895000 rw-p 00000000 00:00 0 [heap]
7f342614c000-7f342614f000 r-xp 00000000 fd:01 59416 /lib/x86_64-linux-gnu/libdl-2.23.so
7f342614f000-7f342634e000 ---p 00003000 fd:01 59416 /lib/x86_64-linux-gnu/libdl-2.23.so
7f342634e000-7f342634f000 r--p 00002000 fd:01 59416 /lib/x86_64-linux-gnu/libdl-2.23.so
7f342634f000-7f3426350000 rw-p 00003000 fd:01 59416 /lib/x86_64-linux-gnu/libdl-2.23.so
7f3426350000-7f342656b000 r-xp 00000000 fd:01 2141 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f342656b000-7f342676a000 ---p 0021b000 fd:01 2141 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f342676a000-7f3426786000 r--p 0021a000 fd:01 2141 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f3426786000-7f3426792000 rw-p 00236000 fd:01 2141 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f3426792000-7f3426795000 rw-p 00000000 00:00 0
7f3426795000-7f34267f3000 r-xp 00000000 fd:01 2140 /lib/x86_64-linux-gnu/libssl.so.1.0.0
7f34267f3000-7f34269f3000 ---p 0005e000 fd:01 2140 /lib/x86_64-linux-gnu/libssl.so.1.0.0
7f34269f3000-7f34269f7000 r--p 0005e000 fd:01 2140 /lib/x86_64-linux-gnu/libssl.so.1.0.0
7f34269f7000-7f34269fe000 rw-p 00062000 fd:01 2140 /lib/x86_64-linux-gnu/libssl.so.1.0.0
7f34269fe000-7f3426bbe000 r-xp 00000000 fd:01 59431 /lib/x86_64-linux-gnu/libc-2.23.so
7f3426bbe000-7f3426dbe000 ---p 001c0000 fd:01 59431 /lib/x86_64-linux-gnu/libc-2.23.so
7f3426dbe000-7f3426dc2000 r--p 001c0000 fd:01 59431 /lib/x86_64-linux-gnu/libc-2.23.so
7f3426dc2000-7f3426dc4000 rw-p 001c4000 fd:01 59431 /lib/x86_64-linux-gnu/libc-2.23.so
7f3426dc4000-7f3426dc8000 rw-p 00000000 00:00 0
7f3426dc8000-7f3426ebd000 r-xp 00000000 fd:01 268610 /usr/lib/dovecot/libdovecot.so.0.0.0
7f3426ebd000-7f34270bc000 ---p 000f5000 fd:01 268610 /usr/lib/dovecot/libdovecot.so.0.0.0
7f34270bc000-7f34270c0000 r--p 000f4000 fd:01 268610 /usr/lib/dovecot/libdovecot.so.0.0.0
7f34270c0000-7f34270c1000 rw-p 000f8000 fd:01 268610 /usr/lib/dovecot/libdovecot.so.0.0.0
7f34270c1000-7f34270c4000 rw-p 00000000 00:00 0
7f34270c4000-7f34270de000 r-xp 00000000 fd:01 268565 /usr/lib/dovecot/libdovecot-login.so.0.0.0
7f34270de000-7f34272dd000 ---p 0001a000 fd:01 268565 /usr/lib/dovecot/libdovecot-login.so.0.0.0
7f34272dd000-7f34272df000 r--p 00019000 fd:01 268565 /usr/lib/dovecot/libdovecot-login.so.0.0.0
7f34272df000-7f34272e0000 rw-p 0001b000 fd:01 268565 /usr/lib/dovecot/libdovecot-login.so.0.0.0
7f34272e0000-7f3427306000 r-xp 00000000 fd:01 59417 /lib/x86_64-linux-gnu/ld-2.23.so
7f34274f7000-7f34274fb000 rw-p 00000000 00:00 0
7f3427504000-7f3427505000 rw-p 00000000 00:00 0
7f3427505000-7f3427506000 r--p 00025000 fd:01 59417 /lib/x86_64-linux-gnu/ld-2.23.so
7f3427506000-7f3427507000 rw-p 00026000 fd:01 59417 /lib/x86_64-linux-gnu/ld-2.23.so
7f3427507000-7f3427508000 rw-p 00000000 00:00 0
7ffe9ea14000-7ffe9ea35000 rw-p 00000000 00:00 0 [stack]
7ffe9ebc4000-7ffe9ebc7000 r--p 00000000 00:00 0 [vvar]
7ffe9ebc7000-7ffe9ebc9000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]`

[ScIT-Raphael]

Can you please send also dovecot logs? The output of your mail does not give out usable informations.

[ScIT-Raphael]

Also the communication is from your server to the ip, so outbound communication. Hestia does not install CSF by default, so I can't give you support here.

[vvcares]

Hi. I understood,
OUTBOUND - Thats I suspecting somehow they might injected the file and trying to initiate the connection.
CSF - Yes, its not Hestia's module. I installed myself (no need support for CSF here :-) )

Im posting the info here, if you may came to know this as an exploit too.

---

Feb 27 19:50:06 pop3-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:07 auth: Error: passwd-file(user,155.94.137.56,<7yV5xt6CZNibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:08 master: Warning: Sent SIGKILL to 100 pop3-login processes
Feb 27 19:50:08 master: Warning: service(pop3-login): process_limit (100) reached, client connections are being dropped
Feb 27 19:50:09 pop3-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<7yV5xt6CZNibXok4>
Feb 27 19:50:10 master: Warning: Sent SIGKILL to 100 pop3-login processes
Feb 27 19:50:11 auth: Error: passwd-file(user,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(user,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(user,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(user,155.94.137.56,<9Cl6xt6CadibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(user,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(user,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(user,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(test,155.94.137.56,<0ll7xt6Cc9ibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(test,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(test,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(test,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(test,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(test,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(test,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(backup,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(backup,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(backup,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(backup,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(backup,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(backup,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(backup,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:11 auth: Error: passwd-file(test,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(backup,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(server,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(server,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(server,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(server,155.94.137.56,<H1B+xt6CmNibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(server,155.94.137.56,<35F+xt6CmdibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(server,155.94.137.56,<RZR+xt6CndibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(server,155.94.137.56,<Cvd+xt6Cm9ibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(server,155.94.137.56,<PqB/xt6Cn9ibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(info,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(info,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(info,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(info,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(info,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(info,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(info,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(info,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(sales,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(sales,155.94.137.56,<01mCxt6CsNibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(sales,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(sales,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(sales,155.94.137.56,<9I2Cxt6CtdibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(sales,155.94.137.56,<H+CCxt6Ct9ibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(staff,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(staff,155.94.137.56,<8c+Dxt6CwdibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(sales,155.94.137.56,<+t2Dxt6CudibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(staff,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(sales,155.94.137.56,<i+qExt6CvNibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(support,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(support,155.94.137.56,<4bKFxt6C0tibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(support,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(support,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(support,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(staff,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(staff,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(support,155.94.137.56,<i+eGxt6C2NibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(temp,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(temp,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(staff,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(temp,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(temp,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(temp,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(temp,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(temp,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(staff,155.94.137.56,<H+WHxt6CydibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(staff,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(temp,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(support,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(gast,155.94.137.56,<+fWIxt6C6dibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(gast,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(gast,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(support,155.94.137.56,<iI+Jxt6C1dibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(gast,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(gast,155.94.137.56,<R/uJxt6C8NibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(gast,155.94.137.56,<5BKKxt6C8tibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(gast,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(gast,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(guest,155.94.137.56,<7NyKxt6C+dibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(guest,155.94.137.56,<4/SKxt6C+NibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(guest,155.94.137.56,<cDSLxt6C/dibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(guest,155.94.137.56,<jlyLxt6C+9ibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(guest,155.94.137.56,<s2CLxt6C/tibXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(guest,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:12 auth: Error: passwd-file(guest,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:13 auth: Error: passwd-file(guest,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:13 auth: Error: passwd-file(spam,155.94.137.56,<Q+OMxt6CBtmbXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:13 auth: Error: passwd-file(spam,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:13 auth: Error: passwd-file(spam,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:13 auth: Error: passwd-file(spam,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:13 auth: Error: passwd-file(spam,155.94.137.56,<5tSNxt6CE9mbXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:13 auth: Error: passwd-file(spam,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:13 auth: Error: passwd-file(spam,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:13 auth: Error: passwd-file(scan,155.94.137.56,<75yOxt6CHNmbXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:13 auth: Error: passwd-file(scan,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:13 auth: Error: passwd-file(spam,155.94.137.56,): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:13 auth: Error: passwd-file(scan,155.94.137.56,<X9+Oxt6CItmbXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:13 auth: Error: passwd-file(scan,155.94.137.56,<3eOPxt6CJNmbXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:14 auth: Error: passwd-file(scan,155.94.137.56,<Qf+kxt6CJ9mbXok4>): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:14 master: Warning: Sent SIGKILL to 99 pop3-login processes
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<9Cl6xt6CadibXok4>
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<0ll7xt6Cc9ibXok4>
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:14 pop3-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:50:16 master: Warning: Sent SIGKILL to 100 pop3-login processes
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<RZR+xt6CndibXok4>
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<Cvd+xt6Cm9ibXok4>
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<35F+xt6CmdibXok4>
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<H1B+xt6CmNibXok4>
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 master: Warning: Sent SIGKILL to 99 pop3-login processes
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<PqB/xt6Cn9ibXok4>
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<01mCxt6CsNibXok4>
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<9I2Cxt6CtdibXok4>
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<H+CCxt6Ct9ibXok4>
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<i+qExt6CvNibXok4>
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<+t2Dxt6CudibXok4>
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<8c+Dxt6CwdibXok4>
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<H+WHxt6CydibXok4>
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<4bKFxt6C0tibXok4>
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<iI+Jxt6C1dibXok4>
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<i+eGxt6C2NibXok4>
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:07 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 180 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 180 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<+fWIxt6C6dibXok4>
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 180 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 180 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 180 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 180 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<R/uJxt6C8NibXok4>
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 180 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<5BKKxt6C8tibXok4>
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 180 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 180 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 180 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<4/SKxt6C+NibXok4>
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 180 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<7NyKxt6C+dibXok4>
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 180 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<jlyLxt6C+9ibXok4>
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 180 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<cDSLxt6C/dibXok4>
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 180 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<s2CLxt6C/tibXok4>
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 180 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 180 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 180 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<Q+OMxt6CBtmbXok4>
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<5tSNxt6CE9mbXok4>
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<75yOxt6CHNmbXok4>
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<X9+Oxt6CItmbXok4>
Feb 27 19:53:08 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<3eOPxt6CJNmbXok4>
Feb 27 19:53:09 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=, method=PLAIN, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<Qf+kxt6CJ9mbXok4>
Feb 27 19:53:14 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:14 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<+BGh0d6CLtmbXok4>
Feb 27 19:53:14 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<6yyh0d6CMNmbXok4>
Feb 27 19:53:14 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:14 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:14 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<8Cqi0d6COtmbXok4>
Feb 27 19:53:14 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:14 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:15 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<f6+i0d6CRdmbXok4>
Feb 27 19:53:15 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<+N6i0d6CQtmbXok4>
Feb 27 19:53:15 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:15 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:15 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:15 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:15 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:15 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:15 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<3fCj0d6CWdmbXok4>
Feb 27 19:53:15 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:15 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=<+i6k0d6CXNmbXok4>
Feb 27 19:53:15 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:15 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:53:15 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session=
Feb 27 19:59:19 auth: Error: passwd-file(operations@MY-OTHER.com,144.217.93.243): stat(/etc/exim4/domains/MY-OTHER.com/passwd) failed: No such file or directory
Feb 27 20:02:35 auth: Error: passwd-file(operations@MY-OTHER.com,144.217.90.83): stat(/etc/exim4/domains/MY-OTHER.com/passwd) failed: No such file or directory
Feb 27 20:09:30 imap-login: Info: Disconnected: Too many invalid commands (no auth attempts in 112 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<bUTJC9+CvMB/AAAB>
Feb 27 20:09:38 master: Warning: Killed with signal 15 (by pid=29633 uid=0 code=kill)
Feb 27 20:09:38 master: Info: Dovecot v2.2.22 (fe789d2) starting up for imap (core dumps disabled)
Feb 27 20:12:45 master: Warning: Killed with signal 15 (by pid=30001 uid=0 code=kill)
Feb 27 20:12:45 master: Info: Dovecot v2.2.22 (fe789d2) starting up for imap, pop3 (core dumps disabled)
Feb 27 20:12:53 pop3-login: Info: Disconnected: Too many bad commands (no auth attempts in 6 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<DhLbF9+CIKR/AAAB>
Feb 27 20:13:26 pop3-login: Info: Disconnected: Too many bad commands (no auth attempts in 4 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<QoLWGd+CJKR/AAAB>
Feb 27 20:13:41 pop3-login: Info: Disconnected: Too many bad commands (no auth attempts in 5 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<szG+Gt+CKqR/AAAB>
Feb 27 20:13:51 pop3-login: Info: Disconnected: Too many bad commands (no auth attempts in 3 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<xJBaG9+CLqR/AAAB>
Feb 27 20:14:28 pop3-login: Info: Disconnected: Too many bad commands (no auth attempts in 3 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<g0eOHd+CMKR/AAAB>
Feb 27 20:14:41 pop3-login: Info: Disconnected: Too many bad commands (no auth attempts in 6 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<29VRHt+CNKR/AAAB>
Feb 27 20:16:45 pop3-login: Info: Disconnected: Too many bad commands (no auth attempts in 3 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<8NSzJd+CTqR/AAAB>
Feb 27 20:17:02 pop3-login: Info: Disconnected: Too many bad commands (no auth attempts in 4 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<c3+2Jt+CVKR/AAAB>
Feb 27 20:17:24 pop3-login: Info: Disconnected: Too many bad commands (no auth attempts in 3 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<PSsMKN+CVqR/AAAB>
Feb 27 20:17:38 master: Warning: Killed with signal 15 (by pid=31031 uid=0 code=kill)
Feb 27 20:17:38 master: Info: Dovecot v2.2.22 (fe789d2) starting up for imap (core dumps disabled)
Feb 27 20:35:46 auth: Error: passwd-file(operations@MY-OTHER.com,144.217.93.243): stat(/etc/exim4/domains/MY-OTHER.com/passwd) failed: No such file or directory

[ScIT-Raphael]

Cant see any exploit or suspecting in the log files. Looks like 155.94.137.56 want's to brute force your email service(s). Can you check your fail2ban config if he got blocked? Reading the logs it's look like he was.

[vvcares]

Hi Raphael,
Ok, as long your point of view is not a dangerous access, then ok for me.
Even i dont need this POP3, forgotten to disable. He reminded me LoL..

[ScIT-Raphael]

Ok, I will close the issue for now. Please reopen it if you've got any additional informations.