1 |
Hi, |
2 |
|
3 |
Finally got around to installing a log monitoring tool (logwatch) this |
4 |
morning. I'm not sure why it doesn't give me any output for any services |
5 |
other than syslogd (maybe cuz all the other services are dumping into |
6 |
/var/log/messages?), but while looking through /var/log/messages for |
7 |
stuff that logwatch might find, I saw something that made my heart skip |
8 |
a beat. |
9 |
|
10 |
There are a number of vpopmail entries like this: |
11 |
|
12 |
Nov 6 10:21:51 munat vpopmail[29101]: vchkpw-smtp: password fail |
13 |
postmaster@×××××.com:80.104.163.225 |
14 |
Nov 6 10:21:57 munat vpopmail[29103]: vchkpw-smtp: (PLAIN) login |
15 |
success postmaster@×××××.com:80.104.163.225 |
16 |
|
17 |
Always in pairs like that... mostly with different addresses, and |
18 |
addresses that I don't recognize. My brother and I are the only people |
19 |
who should be able to log into the postmaster account, and we rarely do |
20 |
so, so... |
21 |
|
22 |
The question is, has my vpopmail been hacked or is this somehow a |
23 |
typical vpopmail occurrence? Going back through messages, there are |
24 |
entries like this every day. So maybe, for some strange reason vpopmail |
25 |
prints this entry in the logs periodically? |
26 |
|
27 |
Ben |