1 |
Based on your log entries, it looks like somebody discovered your |
2 |
'postmaster@×××××.com' password and is using it to relay messages. |
3 |
|
4 |
Did you check your qmail-send log around the same time? It would have |
5 |
more details, showing if it's relaying emails. |
6 |
|
7 |
You also might try changing your postmaster's password to something |
8 |
really cryptic, & see if those log entries still appear. |
9 |
|
10 |
HTH, |
11 |
Rich Yumul |
12 |
|
13 |
|
14 |
Ben Munat wrote: |
15 |
|
16 |
> I posted the following on the weekend and it seems to have been |
17 |
> overlooked. If no one really has any ideas, I'm sorry for the repost, |
18 |
> but, I would think that someone here has used vpopmail... I'm really |
19 |
> hoping that this is something that vpopmail puts in the logs normally! |
20 |
> |
21 |
> Here's my previous post: |
22 |
> |
23 |
> Finally got around to installing a log monitoring tool (logwatch) this |
24 |
> morning. I'm not sure why it doesn't give me any output for any services |
25 |
> other than syslogd (maybe cuz all the other services are dumping into |
26 |
> /var/log/messages?), but while looking through /var/log/messages for |
27 |
> stuff that logwatch might find, I saw something that made my heart skip |
28 |
> a beat. |
29 |
> |
30 |
> There are a number of vpopmail entries like this: |
31 |
> |
32 |
> Nov 6 10:21:51 munat vpopmail[29101]: vchkpw-smtp: password fail |
33 |
> postmaster@×××××.com:80.104.163.225 |
34 |
> Nov 6 10:21:57 munat vpopmail[29103]: vchkpw-smtp: (PLAIN) login |
35 |
> success postmaster@×××××.com:80.104.163.225 |
36 |
> |
37 |
> Always in pairs like that... mostly with different addresses, and |
38 |
> addresses that I don't recognize. My brother and I are the only people |
39 |
> who should be able to log into the postmaster account, and we rarely do |
40 |
> so, so... |
41 |
> |
42 |
> The question is, has my vpopmail been hacked or is this somehow a |
43 |
> typical vpopmail occurrence? Going back through messages, there are |
44 |
> entries like this every day. So maybe, for some strange reason vpopmail |
45 |
> prints this entry in the logs periodically? |
46 |
> |
47 |
> Ben |
48 |
> |
49 |
> |
50 |
> |
51 |
> |
52 |
|
53 |
-- |
54 |
------------------------------------------------------------------------ |
55 |
Richard M Yumul |
56 |
rmy@×××××××××.com <mailto:rmy@×××××××××.com> |
57 |
SDTechnix |
58 |
http://www.sdtechnix.com |
59 |
------------------------------------------------------------------------ |