Results 1 to 8 of 8

Thread: my exim log

  1. #1
    Join Date
    Sep 2008
    Location
    Sweden
    Posts
    1,283

    my exim log

    hello.
    this is my exim log. can you analyse and say how can i protect it?

    2009-07-27 02:03:01 login authenticator failed for (ameill-2007) [125.85.138.123]: 535 Incorrect authentication data (set_id=company)
    2009-07-27 02:03:01 login authenticator failed for (ameill-2007) [125.85.138.123]: 535 Incorrect authentication data (set_id=company)
    2009-07-27 02:03:02 login authenticator failed for (ameill-2007) [125.85.138.123]: 535 Incorrect authentication data (set_id=company)
    2009-07-27 02:03:02 login authenticator failed for (ameill-2007) [125.85.138.123]: 535 Incorrect authentication data (set_id=company)
    2009-07-27 02:03:03 login authenticator failed for (ameill-2007) [125.85.138.123]: 535 Incorrect authentication data (set_id=company)
    2009-07-27 02:03:03 login authenticator failed for (ameill-2007) [125.85.138.123]: 535 Incorrect authentication data (set_id=company)
    2009-07-27 02:03:03 login authenticator failed for (ameill-2007) [125.85.138.123]: 535 Incorrect authentication data (set_id=company)
    2009-07-27 02:03:04 login authenticator failed for (ameill-2007) [125.85.138.123]: 535 Incorrect authentication data (set_id=company)
    2009-07-27 02:03:04 login authenticator failed for (ameill-2007) [125.85.138.123]: 535 Incorrect authentication data (set_id=company)
    2009-07-27 02:03:05 login authenticator failed for (ameill-2007) [125.85.138.123]: 535 Incorrect authentication data (set_id=company)
    2009-07-27 02:03:05 login authenticator failed for (ameill-2007) [125.85.138.123]: 535 Incorrect authentication data (set_id=company)
    2009-07-27 02:03:06 SMTP call from (ameill-2007) [125.85.138.123] dropped: too many nonmail commands (last was "AUTH")
    2009-07-27 02:03:06 login authenticator failed for (ameill-2007) [125.85.138.123]: 535 Incorrect authentication data (set_id=company)
    2009-07-27 02:03:06 login authenticator failed for (ameill-2007) [125.85.138.123]: 535 Incorrect authentication data (set_id=company)
    2009-07-27 02:03:06 SMTP call from (ameill-2007) [125.85.138.123] dropped: too many nonmail commands (last was "AUTH")
    2009-07-27 02:03:07 login authenticator failed for (ameill-2007) [125.85.138.123]: 535 Incorrect authentication data (set_id=company)
    2009-07-27 02:03:09 login authenticator failed for (ameill-2007) [125.85.138.123]: 535 Incorrect authentication data (set_id=company)
    2009-07-27 02:03:10 login authenticator failed for (ameill-2007) [125.85.138.123]: 535 Incorrect authentication data (set_id=company)
    2009-07-27 02:03:11 SMTP call from (ameill-2007) [125.85.138.123] dropped: too many nonmail commands (last was "AUTH")
    2009-07-27 20:03:01 H=118-169-195-60.dynamic.hinet.net (www.hello.com) [118.169.195.60] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-27 20:03:02 H=118-169-195-60.dynamic.hinet.net (www.hello.com) [118.169.195.60] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-27 20:03:04 H=118-169-195-60.dynamic.hinet.net (www.hello.com) [118.169.195.60] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-28 02:23:13 H=114-43-241-220.dynamic.hinet.net (89.248.166.46) [114.43.241.220] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-28 02:23:13 H=114-43-241-220.dynamic.hinet.net (89.248.166.48) [114.43.241.220] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-28 02:23:13 H=114-43-241-220.dynamic.hinet.net (89.248.166.47) [114.43.241.220] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-28 15:39:42 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "GET http://www.scanproxy.com:80/p-25.html HTTP/1.0" H=118-167-133-150.dynamic.hinet.net [118.167.133.150] next input="Content-Type: text/html\r\nProxy-Connection: keep-alive\r\nHost: www.scanproxy.com\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, applicati"
    2009-07-28 15:39:42 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "GET http://www.scanproxy.com:80/p-25.html HTTP/1.0" H=118-167-133-150.dynamic.hinet.net [118.167.133.150] next input="Content-Type: text/html\r\nProxy-Connection: keep-alive\r\nHost: www.scanproxy.com\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, applicati"
    2009-07-28 15:39:42 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "GET http://www.scanproxy.com:80/p-25.html HTTP/1.0" H=118-167-133-150.dynamic.hinet.net [118.167.133.150] next input="Content-Type: text/html\r\nProxy-Connection: keep-alive\r\nHost: www.scanproxy.com\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, applicati"
    2009-07-28 15:39:43 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=118-167-133-150.dynamic.hinet.net [118.167.133.150] input="\004\001"
    2009-07-28 15:39:43 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=118-167-133-150.dynamic.hinet.net [118.167.133.150] input="\005\001"
    2009-07-28 16:09:56 H=118-167-133-150.dynamic.hinet.net (89.248.166.47) [118.167.133.150] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-28 16:09:59 H=118-167-133-150.dynamic.hinet.net (89.248.166.48) [118.167.133.150] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-28 16:09:59 H=118-167-133-150.dynamic.hinet.net (89.248.166.46) [118.167.133.150] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-28 22:21:57 H=118-167-133-150.dynamic.hinet.net (89.248.166.48) [118.167.133.150] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-28 22:21:57 H=118-167-133-150.dynamic.hinet.net (89.248.166.46) [118.167.133.150] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-28 22:21:57 H=118-167-133-150.dynamic.hinet.net (89.248.166.47) [118.167.133.150] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-28 22:48:56 H=122-124-158-166.dynamic.hinet.net (89.248.166.47) [122.124.158.166] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-28 22:48:56 H=122-124-158-166.dynamic.hinet.net (89.248.166.46) [122.124.158.166] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-28 22:48:56 H=122-124-158-166.dynamic.hinet.net (89.248.166.48) [122.124.158.166] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-29 10:23:26 rejected HELO from [81.91.144.210]: syntactically invalid argument(s): [email protected]
    2009-07-29 18:14:13 rejected HELO from [81.91.144.210]: syntactically invalid argument(s): [email protected]
    2009-07-29 20:32:34 H=118-169-197-33.dynamic.hinet.net (www.hello.com) [118.169.197.33] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-29 20:32:40 H=118-169-197-33.dynamic.hinet.net (www.hello.com) [118.169.197.33] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-29 20:32:41 H=118-169-197-33.dynamic.hinet.net (www.hello.com) [118.169.197.33] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-31 09:36:47 H=118-168-107-150.dynamic.hinet.net (89.248.166.46) [118.168.107.150] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-31 09:36:47 H=118-168-107-150.dynamic.hinet.net (89.248.166.47) [118.168.107.150] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-31 09:36:50 H=118-168-107-150.dynamic.hinet.net (89.248.166.48) [118.168.107.150] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-31 20:34:05 H=118-169-207-44.dynamic.hinet.net (www.hello.com) [118.169.207.44] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-31 20:34:07 H=118-169-207-44.dynamic.hinet.net (www.hello.com) [118.169.207.44] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
    2009-07-31 20:34:08 H=118-169-207-44.dynamic.hinet.net (www.hello.com) [118.169.207.44] F=<[email protected]> rejected RCPT <[email protected]>: authentication required

  2. #2
    Join Date
    Jun 2003
    Location
    World Wide Web
    Posts
    581
    Install and configure CSF will stop these type of attacks.
    SupportExpertz.com - the name says it all!
    Managed Cloud Servers
    Server Management and Monitoring
    24x7 outsourced customer support

  3. #3
    Quote Originally Posted by logicsupport View Post
    Install and configure CSF will stop these type of attacks.
    yes, install csf, it will block the IP automatically after several times login failure. based on the log, someone is trying to brute force email accounts on your server
    HalfDedi.com Half Dedicated Half Price
    We provide affordable VPS hosting solution Singapore datacenter

  4. #4
    Yes, from the above logs its seems there is brute force attack on your server, you need to block the above 125.85.138.123 IP using csf firewall or iptables.
    Support Facility | 24/7 web hosting technical support services
    Technical support | Server management | Data migration

    Technical Articles

  5. #5
    Join Date
    Sep 2008
    Location
    Sweden
    Posts
    1,283
    and how can i configuration the csf ?

  6. #6
    Following are the steps to install csf on cpanel,

    #rm -fv csf.tgz
    #wget http://www.configserver.com/free/csf.tgz
    #tar zxf csf.tgz
    #cd csf
    #sh install.sh

    If you have APF + BFD you will need to disable it, you can use the following to do so:

    sh disable_apf_bfd.sh

    To configure CSF modify the config files in /etc/csf/ - or if you are running WHM you can modify the CSF settings in there. By default CSF opens the standard cPanel ports.
    Support Facility | 24/7 web hosting technical support services
    Technical support | Server management | Data migration

    Technical Articles

  7. #7
    Join Date
    Sep 2008
    Location
    Sweden
    Posts
    1,283
    i have directadmin and i have install csf befor i see this log.

  8. #8
    Join Date
    Sep 2007
    Posts
    195
    Hello Guys,

    I have similar issue, but seems that brute force attack on my server is not from a sigle IP, but is from a multiplies IPs, look the log:

    ===
    [[email protected] log]# tail -f /var/log/exim_mainlog | grep [email protected]
    2010-02-24 05:18:50 fixed_login authenticator failed for (lou-reception) [84.55.153.185]: 535 Incorrect authentication data ([email protected])
    2010-02-24 05:20:45 fixed_login authenticator failed for (pc) [187.21.2.122]: 535 Incorrect authentication data ([email protected])
    2010-02-24 05:20:48 fixed_login authenticator failed for (pc) [187.21.2.122]: 535 Incorrect authentication data ([email protected])
    2010-02-24 05:20:57 fixed_login authenticator failed for (Wilma-PC) [187.13.35.8]: 535 Incorrect authentication data ([email protected])
    2010-02-24 05:20:58 fixed_login authenticator failed for (Wilma-PC) [187.13.35.8]: 535 Incorrect authentication data ([email protected])
    2010-02-24 05:21:08 fixed_login authenticator failed for (URANIA) [189.102.154.83]: 535 Incorrect authentication data ([email protected])
    2010-02-24 05:21:08 fixed_login authenticator failed for (URANIA) [189.102.154.83]: 535 Incorrect authentication data ([email protected])
    2010-02-24 05:21:26 fixed_login authenticator failed for quindimp3.redel.com.br (user-47b4a68ed4) [189.8.96.75]: 535 Incorrect authentication data ([email protected])
    2010-02-24 05:21:30 fixed_login authenticator failed for host-84-222-241-90.cust-adsl.tiscali.it (pc10) [84.222.241.90]: 535 Incorrect authentication data ([email protected])
    2010-02-24 05:21:38 fixed_login authenticator failed for quindimp3.redel.com.br (user-47b4a68ed4) [189.8.96.75]: 535 Incorrect authentication data ([email protected])
    2010-02-24 05:21:38 fixed_login authenticator failed for host-84-222-241-90.cust-adsl.tiscali.it (pc10) [84.222.241.90]: 535 Incorrect authentication data ([email protected])
    ===

    Someone here already saw this kind of attack??? What I must to do to stop it??

    Thanks

Similar Threads

  1. exim - how to remove rbl lists from exim.conf
    By abusaifedden in forum Hosting Security and Technology
    Replies: 3
    Last Post: 05-02-2007, 08:01 PM
  2. Bypassing Exiscan / exim.antivirus from Exim for specific domain
    By tweakservers in forum Hosting Security and Technology
    Replies: 0
    Last Post: 04-09-2006, 06:44 AM
  3. want exim 4.51 config file(/etc/exim.conf) pleaze
    By loverboy in forum Hosting Security and Technology
    Replies: 29
    Last Post: 08-03-2005, 05:23 AM
  4. Exim Problems Any An Guru Exim Tech
    By mpisinc in forum Colocation and Data Centers
    Replies: 1
    Last Post: 11-27-2004, 08:21 AM
  5. exim has failed !! Error : package exim is not installed!!
    By atul in forum Hosting Security and Technology
    Replies: 26
    Last Post: 06-30-2004, 08:56 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •