1 |
Check your mail servers' logs too... not sure if its related, but there |
2 |
were entries (not included) from an attempt at user 'guest'. The 'asdf' |
3 |
seems to be new, suppose they're somehow connected? (The ssh attacks |
4 |
lead to a compromised mail relay?) Or is this just a common attempt at |
5 |
finding an already open/compromised relay? |
6 |
|
7 |
>From auth.log |
8 |
|
9 |
Jul 27 09:27:18 <machine> saslauthd[13176]: do_auth : auth |
10 |
failure: [user=asdf] [service=smtp] [realm=] [mech=pam] [reason=PAM auth |
11 |
error] |
12 |
Jul 27 09:27:23 <machine> saslauthd[13177]: do_auth : auth |
13 |
failure: [user=asdf] [service=smtp] [realm=] [mech=pam] [reason=PAM auth |
14 |
error] |
15 |
Jul 27 09:27:28 <machine> saslauthd[13173]: do_auth : auth |
16 |
failure: [user=asdf] [service=smtp] [realm=] [mech=pam] [reason=PAM auth |
17 |
error] |
18 |
. |
19 |
. |
20 |
. |
21 |
Jul 27 09:28:44 <machine> smtp(pam_unix)[13174]: check pass; user |
22 |
unknown |
23 |
Jul 27 09:28:44 <machine> smtp(pam_unix)[13174]: authentication failure; |
24 |
logname= uid=0 euid=0 tty= ruser= rhost= |
25 |
Jul 27 09:28:47 <machine> saslauthd[13174]: DEBUG: auth_pam: |
26 |
pam_authenticate failed: Authentication failure |
27 |
Jul 27 09:28:47 <machine> saslauthd[13174]: do_auth : auth |
28 |
failure: [user=asdf] [service=smtp] [realm=] [mech=pam] [reason=PAM auth |
29 |
error] |
30 |
Jul 27 09:28:52 <machine> smtp(pam_unix)[13176]: check pass; user |
31 |
unknown |
32 |
. |
33 |
. |
34 |
. |
35 |
|
36 |
The corresponding entries in mail.log: |
37 |
|
38 |
Jul 27 09:27:23 <machine> postfix/smtpd[7547]: warning: |
39 |
unknown[222.183.141.122]: SASL LOGIN authentication failed |
40 |
Jul 27 09:27:28 <machine> postfix/smtpd[7547]: warning: |
41 |
unknown[222.183.141.122]: SASL LOGIN authentication failed |
42 |
. |
43 |
. |
44 |
. |
45 |
Jul 27 09:27:30 <machine> postfix/smtpd[7547]: warning: |
46 |
unknown[222.183.141.122]: SASL LOGIN authentication failed |
47 |
Jul 27 09:28:55 <machine> postfix/smtpd[7547]: warning: |
48 |
unknown[222.183.141.122]: SASL LOGIN authentication failed |
49 |
|
50 |
|
51 |
|
52 |
>From a whois on the IP: (surprise, surprise) |
53 |
|
54 |
inetnum: 222.176.0.0 - 222.183.255.255 |
55 |
netname: CHINANET-CQ |
56 |
descr: CHINANET Chongqing province network |
57 |
descr: China Telecom |
58 |
descr: A12,Xin-Jie-Kou-Wai Street |
59 |
descr: Beijing 100088 |
60 |
country: CN |
61 |
admin-c: CH93-AP |
62 |
tech-c: CQ235-AP |
63 |
mnt-by: APNIC-HM |
64 |
mnt-lower: MAINT-CHINANET-CQ |
65 |
mnt-routes: MAINT-CHINANET-CQ |
66 |
changed: hm-changed@×××××.net 20040203 |
67 |
remarks: This object can only be changed by APNIC Hostmaster |
68 |
status: ALLOCATED PORTABLE |
69 |
source: APNIC |
70 |
|
71 |
role: CHINANET CQ |
72 |
address: The mainstreet 3 daping ,chongqing data communication |
73 |
bureau |
74 |
country: CN |
75 |
phone: +862368614888 |
76 |
fax-no: +862368602314 |
77 |
e-mail: abuse@××××××.cn |
78 |
trouble: send spam reports to abuse@××××××.cn |
79 |
trouble: and abuse reports to abuse@××××××.cn |
80 |
admin-c: ZL235-AP |
81 |
tech-c: ZL235-AP |
82 |
nic-hdl: CQ235-AP |
83 |
remarks: http://www.cta.cq.cn |
84 |
notify: abuse@××××××.cn |
85 |
mnt-by: MAINT-CHINANET-CQ |
86 |
changed: abuse@××××××.cn 20030917 |
87 |
source: APNIC |
88 |
|
89 |
person: Chinanet Hostmaster |
90 |
address: No.31 ,jingrong street,beijing |
91 |
address: 100032 |
92 |
country: CN |
93 |
phone: +86-10-66027112 |
94 |
fax-no: +86-10-58501144 |
95 |
e-mail: hostmaster@××××××××××××××.net |
96 |
e-mail: anti-spam@××××××××××××××.net |
97 |
nic-hdl: CH93-AP |
98 |
mnt-by: MAINT-CHINANET |
99 |
changed: hostmaster@××××××××××××××.net 20021016 |
100 |
|
101 |
>From a whois on the IP: |
102 |
remarks: hostmaster is not for spam complaint,please send spam |
103 |
complaint to anti-spam@××××××××××××××.net |
104 |
source: APNIC |
105 |
|
106 |
|
107 |
-- |
108 |
=================================== |
109 |
Chris Ripp <chris@××××××××.com> |
110 |
Ripp Technical Services |
111 |
Web Design and Hosting |
112 |
http://ripptech.com/ |
113 |
|
114 |
|
115 |
|
116 |
-- |
117 |
gentoo-security@g.o mailing list |