1 |
I posted the following on the weekend and it seems to have been |
2 |
overlooked. If no one really has any ideas, I'm sorry for the repost, |
3 |
but, I would think that someone here has used vpopmail... I'm really |
4 |
hoping that this is something that vpopmail puts in the logs normally! |
5 |
|
6 |
Here's my previous post: |
7 |
|
8 |
Finally got around to installing a log monitoring tool (logwatch) this |
9 |
morning. I'm not sure why it doesn't give me any output for any services |
10 |
other than syslogd (maybe cuz all the other services are dumping into |
11 |
/var/log/messages?), but while looking through /var/log/messages for |
12 |
stuff that logwatch might find, I saw something that made my heart skip |
13 |
a beat. |
14 |
|
15 |
There are a number of vpopmail entries like this: |
16 |
|
17 |
Nov 6 10:21:51 munat vpopmail[29101]: vchkpw-smtp: password fail |
18 |
postmaster@×××××.com:80.104.163.225 |
19 |
Nov 6 10:21:57 munat vpopmail[29103]: vchkpw-smtp: (PLAIN) login |
20 |
success postmaster@×××××.com:80.104.163.225 |
21 |
|
22 |
Always in pairs like that... mostly with different addresses, and |
23 |
addresses that I don't recognize. My brother and I are the only people |
24 |
who should be able to log into the postmaster account, and we rarely do |
25 |
so, so... |
26 |
|
27 |
The question is, has my vpopmail been hacked or is this somehow a |
28 |
typical vpopmail occurrence? Going back through messages, there are |
29 |
entries like this every day. So maybe, for some strange reason vpopmail |
30 |
prints this entry in the logs periodically? |
31 |
|
32 |
Ben |