Hello,

Today i was going through my server logs and came across these in /var/log/messages;

Oct 20 05:37:19 www pop(pam_unix)[20320]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=xyz

There are hundreds such attempts for almost every user that exists in my passwd file, is someone trying to gain entry using pop3 daemon with uid=0?

I am running Red Hat Linux 7.1 and ipop3d.

Thanks,
Vivek

greets.

were any successful? do your logs include IP addresses? have you traced the connections back to their true origin? is it really worth all the effort to find them, if they didn't get in? is this the first time your box(es) have been probed/hit?

snort
tripwire
et cetera


ciao

.times enemy

Hi

Try not to get married to these messages. It happens ALL the time. People are constantly probing IPs looking for anything they can exploit. That's what firewalls are for.

Of course if someone gets in then you should start worrying. :)

I dont know if its an attack or not, but I think it would be inccorect for darksky to say it happens all the time, at least your case where you said "There are hundreds such attempts for almost every user that exists in my passwd file"

Now ofcourse this could be proven untrue if all user names where like bob and joe, whats the ratio to real usernames, to ones that dont exsist on the server.

Originally posted by DarkSky WS

Of course if someone gets in then you should start worrying. :)

If someone get in, it's too late to START worrying.

It looks like a brute force attack to your pop3 server. You don't need to worry about this because there are not many things to do, except a lock time which will make tries like this useless.

Are we all jumping the gun a bit here, hostchamp says...

There are hundreds such attempts for almost every user that exists in my passwd file, is someone trying to gain entry using pop3 daemon with uid=0?

... now unless someone also knows the names of the accounts there would also be a lot of entries with otheruser names from a hacker? I have seen something similar to this on my home system where each time I log into a local pop account I get 2 entries like this but I still get access, I am unsure what is wrong and have not got the time to try and figure it out.

Anyway all I am saying is, are you sure you do not get an entry like this each time a real customer accesses his/her pop account ???

yellow_belly

You might try http://www.chkrootkit.org/

When I had my server emailing me with the root logs, it really freaked me out at first when I'd get a page on my phone telling me I got an, "Active System Attack!" Every couple of days. I'd get hundreds of things like you listed above as well. There are more script kiddies than there are servers out there. A proper ipchains/iptables setup will help a lot.

I find my sysadmins are much happier if I just don't look at the logs :D

if you have more than two servers, take an old computer (raq2s work well) with two NICs , put netbsd on it and make it a proper firewall for your whole network..

saves you time from configuring ipchains on all your computers.

Thanks for all ya responses, couple of u freaked out ;) but nevertheless it was good to get so many views and responses!

4PSA what is a "lock time"? how do i set it up?

yellow_belly, i second ur query, are you sure you do not get an entry like this each time a real customer accesses his/her pop account ?

skelley1 http://www.chkrootkit.org/ would not resolve for me:confused:

hmmm.. it did when I posted it, but it doesn't for me now either. must be down. http://freshmeat.net/projects/chkrootkit/?topic_id=43 has some information on it.

okay the links working now.