| 1 |
Hi, |
| 2 |
|
| 3 |
Finally got around to installing a log monitoring tool (logwatch) this |
| 4 |
morning. I'm not sure why it doesn't give me any output for any services |
| 5 |
other than syslogd (maybe cuz all the other services are dumping into |
| 6 |
/var/log/messages?), but while looking through /var/log/messages for |
| 7 |
stuff that logwatch might find, I saw something that made my heart skip |
| 8 |
a beat. |
| 9 |
|
| 10 |
There are a number of vpopmail entries like this: |
| 11 |
|
| 12 |
Nov 6 10:21:51 munat vpopmail[29101]: vchkpw-smtp: password fail |
| 13 |
postmaster@×××××.com:80.104.163.225 |
| 14 |
Nov 6 10:21:57 munat vpopmail[29103]: vchkpw-smtp: (PLAIN) login |
| 15 |
success postmaster@×××××.com:80.104.163.225 |
| 16 |
|
| 17 |
Always in pairs like that... mostly with different addresses, and |
| 18 |
addresses that I don't recognize. My brother and I are the only people |
| 19 |
who should be able to log into the postmaster account, and we rarely do |
| 20 |
so, so... |
| 21 |
|
| 22 |
The question is, has my vpopmail been hacked or is this somehow a |
| 23 |
typical vpopmail occurrence? Going back through messages, there are |
| 24 |
entries like this every day. So maybe, for some strange reason vpopmail |
| 25 |
prints this entry in the logs periodically? |
| 26 |
|
| 27 |
Ben |
Archives