| 1 |
Based on your log entries, it looks like somebody discovered your |
| 2 |
'postmaster@×××××.com' password and is using it to relay messages. |
| 3 |
|
| 4 |
Did you check your qmail-send log around the same time? It would have |
| 5 |
more details, showing if it's relaying emails. |
| 6 |
|
| 7 |
You also might try changing your postmaster's password to something |
| 8 |
really cryptic, & see if those log entries still appear. |
| 9 |
|
| 10 |
HTH, |
| 11 |
Rich Yumul |
| 12 |
|
| 13 |
|
| 14 |
Ben Munat wrote: |
| 15 |
|
| 16 |
> I posted the following on the weekend and it seems to have been |
| 17 |
> overlooked. If no one really has any ideas, I'm sorry for the repost, |
| 18 |
> but, I would think that someone here has used vpopmail... I'm really |
| 19 |
> hoping that this is something that vpopmail puts in the logs normally! |
| 20 |
> |
| 21 |
> Here's my previous post: |
| 22 |
> |
| 23 |
> Finally got around to installing a log monitoring tool (logwatch) this |
| 24 |
> morning. I'm not sure why it doesn't give me any output for any services |
| 25 |
> other than syslogd (maybe cuz all the other services are dumping into |
| 26 |
> /var/log/messages?), but while looking through /var/log/messages for |
| 27 |
> stuff that logwatch might find, I saw something that made my heart skip |
| 28 |
> a beat. |
| 29 |
> |
| 30 |
> There are a number of vpopmail entries like this: |
| 31 |
> |
| 32 |
> Nov 6 10:21:51 munat vpopmail[29101]: vchkpw-smtp: password fail |
| 33 |
> postmaster@×××××.com:80.104.163.225 |
| 34 |
> Nov 6 10:21:57 munat vpopmail[29103]: vchkpw-smtp: (PLAIN) login |
| 35 |
> success postmaster@×××××.com:80.104.163.225 |
| 36 |
> |
| 37 |
> Always in pairs like that... mostly with different addresses, and |
| 38 |
> addresses that I don't recognize. My brother and I are the only people |
| 39 |
> who should be able to log into the postmaster account, and we rarely do |
| 40 |
> so, so... |
| 41 |
> |
| 42 |
> The question is, has my vpopmail been hacked or is this somehow a |
| 43 |
> typical vpopmail occurrence? Going back through messages, there are |
| 44 |
> entries like this every day. So maybe, for some strange reason vpopmail |
| 45 |
> prints this entry in the logs periodically? |
| 46 |
> |
| 47 |
> Ben |
| 48 |
> |
| 49 |
> |
| 50 |
> |
| 51 |
> |
| 52 |
|
| 53 |
-- |
| 54 |
------------------------------------------------------------------------ |
| 55 |
Richard M Yumul |
| 56 |
rmy@×××××××××.com <mailto:rmy@×××××××××.com> |
| 57 |
SDTechnix |
| 58 |
http://www.sdtechnix.com |
| 59 |
------------------------------------------------------------------------ |
Archives