Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Someone broke into my server?

[baocaosuok]

hello everyone,

i've been getting email from logwatch of this connections:

--------------------- Connections (secure-log) Begin
------------------------


Changed users GID:
mailman: 41 -> 41

Connections:
Service smtp:
12.4.146.234: 1 Time(s)
60.9.146.154: 1 Time(s)
61.198.109.181: 1 Time(s)
66.127.239.106: 1 Time(s)
66.163.179.83: 1 Time(s)
82.21.95.247: 20 Time(s)
200.126.114.135: 1 Time(s)
203.98.189.83: 4 Time(s)
206.190.48.90: 1 Time(s)
207.69.200.171: 1 Time(s)
209.191.88.121: 1 Time(s)
219.91.64.181: 5 Time(s)

Does that mean some people broke into my server via smtp service?

if not, i wonder what are those connections?

i'm very appreciate any comment.

Thanks

[Lsupport]

Hello,

This result for service SMTP is connections to the server via these Ips for the mail service . Check to see in the logs if there are any failed logins for the server.

[baocaosuok]

Thanks maximus,

i checked the log and it's normal. No failed logins

So does that mean my server has not been broken in?

[Energizer Bunny]

Guess not.

[haynesdavis]

Hello,

Then in that case your box is not comprimised and it is safe. To be more safe , try installing on the server apf and bfd.

[baocaosuok]

Thanks everyone,

I do have APF, BFD, rkhunter, chkrootkit installed.

So hope it helps :d