Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 22nd July 2010, 19:34
zogthegreat zogthegreat is offline
Member
 
Join Date: Jul 2008
Posts: 50
Thanks: 4
Thanked 2 Times in 1 Post
Default Have I been hacked?

Hi everyone,

I have a weird problem with one of the websites on my ISPConfig server.

While going through the logs, I found this:

[IMAPd] Logout stats:
====================
User | Logouts | Downloaded | Mbox Size
--------------------------------------- | ------- | ---------- | ----------
bill@XXX.com[/email] | 7 | 20807 | 0
calvin@YYY.com[/email] | 297 | 7556 | 0
info@XXX.com[/email] | 7 | 1628 | 0
---------------------------------------------------------------------------
311 | 29991 | 0


The YYY.com site is my sons. He is not running an email client, ( Thunderbird, Evolution, etc) to check his emails, and he assures me that he is not logging into his account 300 times a day.

This pattern of logouts has been going on at least a week, I am going through the older log files to see if there are more.

Does anyone have any suggestions as to what is causing this?

Thanks

zog
Reply With Quote
Sponsored Links
  #2  
Old 22nd July 2010, 21:06
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,046
Thanks: 826
Thanked 5,385 Times in 4,231 Posts
Default

1) Is there a email account calvin@YYY.com in ISPConfig?
2) Are there any successful logins logged for this account in the mail log? Maybe someone just tries to find the password witha brute force attack.
3) Is your son using webmail? Such a pettern with many logouts is typical for a webmail session.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 22nd July 2010, 22:07
zogthegreat zogthegreat is offline
Member
 
Join Date: Jul 2008
Posts: 50
Thanks: 4
Thanked 2 Times in 1 Post
Default

Quote:
Originally Posted by till View Post
1) Is there a email account calvin@YYY.com in ISPConfig?
2) Are there any successful logins logged for this account in the mail log? Maybe someone just tries to find the password witha brute force attack.
3) Is your son using webmail? Such a pettern with many logouts is typical for a webmail session.
Hi till,

Yes, there is an email account for calvin@YYY.com.

As far as brute force, all I see in the maillog is multiple entries like this:

Jul 22 15:43:46 server1 imapd: LOGIN, user=calvin@YYY.com, ip=[::ffff:127.0.0.1], port=[45412], protocol=IMAP
Jul 22 15:43:46 server1 imapd: LOGOUT, user=calvin@YYY.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=87, sent=393, time=0

There are about 13 entries an hour like this. Once again, my son states it is not him checking his mail, (currently, he is at work). We changed his email password twice in the last week.

He is using webmail, but once again, not 300 times a day, (he tells me 3 or 4 times a day).

I also have multiple entries like this:

Jul 22 15:45:03 server1 postfix/smtpd[28628]: connect from localhost.localdomain[127.0.0.1]
Jul 22 15:45:03 server1 postfix/smtpd[28628]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
Jul 22 15:45:03 server1 postfix/smtpd[28628]: disconnect from localhost.localdomain[127.0.0.1]
Jul 22 15:45:04 server1 pop3d: Connection, ip=[::ffff:127.0.0.1]
Jul 22 15:45:04 server1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Jul 22 15:45:04 server1 imapd: Connection, ip=[::ffff:127.0.0.1]
Jul 22 15:45:04 server1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Jul 22 15:48:47 server1 imapd: Connection, ip=[::ffff:127.0.0.1]

also approx 13 per hour.

All of the other email accounts are showing normal behavior.

zog
Reply With Quote
  #4  
Old 22nd July 2010, 22:13
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,046
Thanks: 826
Thanked 5,385 Times in 4,231 Posts
 
Default

Quote:
Jul 22 15:43:46 server1 imapd: LOGIN, user=calvin@YYY.com, ip=[::ffff:127.0.0.1], port=[45412], protocol=IMAP
Jul 22 15:43:46 server1 imapd: LOGOUT, user=calvin@YYY.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=87, sent=393, time=0
This is not an attack, it is the automatic system check which runs every 5 minutes.

Quote:
He is using webmail, but once again, not 300 times a day, (he tells me 3 or 4 times a day).
Ok, then the logins are from webmail. Webmail can produce dozens of logins and logouts per minute. One login / logout for every click or read or deleted message.

So your setup and logs seem to be ok. Your system has not been hacked.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
hELP WITH HACKED WEBSITE PLS spytron Server Operation 1 12th October 2009 16:29
My ISPConfig got hacked nsansari General 1 7th September 2009 13:01
Urgent need help my server is hacked !!!! zinovsky Server Operation 3 5th February 2009 17:23
Have I Been Hacked? :-o PierreQuebec Server Operation 11 8th April 2008 09:24
hacked by By BeLa & BodyguarD shajazzi HOWTO-Related Questions 2 25th April 2007 23:49


All times are GMT +2. The time now is 22:49.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.