-
-
Notifications
You must be signed in to change notification settings - Fork 662
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: Suspected POP3 Logins #161
Comments
`root@MY-SERVER.COM Time: Wed Feb 27 19:51:37 2019 +0800 Executable: /usr/lib/dovecot/pop3-login Command Line (often faked in exploits): Network connections by the process (if any): Files open by the process (if any): Memory maps by the process (if any): 557795e42000-557795e47000 r-xp 00000000 fd:01 268221 /usr/lib/dovecot/pop3-login |
Can you please send also dovecot logs? The output of your mail does not give out usable informations. |
Also the communication is from your server to the ip, so outbound communication. Hestia does not install CSF by default, so I can't give you support here. |
Hi. I understood, Im posting the info here, if you may came to know this as an exploit too. Feb 27 19:50:06 pop3-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=155.94.137.56, lip=MY-HESTIA-SERVER-IP, session= |
Cant see any exploit or suspecting in the log files. Looks like 155.94.137.56 want's to brute force your email service(s). Can you check your fail2ban config if he got blocked? Reading the logs it's look like he was. |
Hi Raphael, |
Ok, I will close the issue for now. Please reopen it if you've got any additional informations. |
My server : (Ubuntu16.04, Hestia(25)+ apache2+Nginx+Dovecot+CSF)
Suddenly CSF ConfigFireWall LFD - sent me 30 over emails within a minute.
someone trying to use my POP3 service.
Possible trying to hack system files ?
For time being I disabled POP3 on dovecot.
The text was updated successfully, but these errors were encountered: