Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Technical

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 14th June 2007, 16:05
mtyme mtyme is offline
Junior Member
 
Join Date: Jun 2007
Posts: 10
Thanks: 2
Thanked 0 Times in 0 Posts
Default Possible hack attempt?

I was looking through my email log and saw this..

The disconnect/lost connection after EHLO portion at the bottom goes on and on probably hundreds of times.

Should I be concerned about this?

Quote:
Jun 14 07:48:31 webserv1 postfix/smtpd[12268]: connect from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12268]: warning: Connection concurrency limit exceeded: 51 from unknown[213.42.236.38] for service smtp
Jun 14 07:48:31 webserv1 postfix/smtpd[12268]: disconnect from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12270]: connect from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12270]: warning: Connection concurrency limit exceeded: 51 from unknown[213.42.236.38] for service smtp
Jun 14 07:48:31 webserv1 postfix/smtpd[12270]: disconnect from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12269]: connect from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12269]: warning: Connection concurrency limit exceeded: 51 from unknown[213.42.236.38] for service smtp
Jun 14 07:48:31 webserv1 postfix/smtpd[12269]: disconnect from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12267]: connect from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12267]: warning: Connection concurrency limit exceeded: 51 from unknown[213.42.236.38] for service smtp
Jun 14 07:48:31 webserv1 postfix/smtpd[12267]: disconnect from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12268]: connect from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12268]: warning: Connection concurrency limit exceeded: 51 from unknown[213.42.236.38] for service smtp
Jun 14 07:48:31 webserv1 postfix/smtpd[12268]: disconnect from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12270]: connect from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12270]: warning: Connection concurrency limit exceeded: 51 from unknown[213.42.236.38] for service smtp
Jun 14 07:48:31 webserv1 postfix/smtpd[12270]: disconnect from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12215]: lost connection after EHLO from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12215]: disconnect from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12269]: connect from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12269]: lost connection after CONNECT from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12269]: disconnect from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12267]: connect from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12267]: lost connection after CONNECT from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12267]: disconnect from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12268]: connect from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12268]: lost connection after CONNECT from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12268]: disconnect from unknown[213.42.236.38]
Jun 14 07:48:31 webserv1 postfix/smtpd[12219]: lost connection after EHLO from unknown[213.42.236.38]
Reply With Quote
Sponsored Links
  #2  
Old 14th June 2007, 17:53
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,034
Thanks: 264
Thanked 151 Times in 131 Posts
Default

It looks like some tool that is looking at your mail server. I have no clue who it is, exept that it's in the Middle east!
http://213.42.236.38
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
  #3  
Old 14th June 2007, 18:23
mtyme mtyme is offline
Junior Member
 
Join Date: Jun 2007
Posts: 10
Thanks: 2
Thanked 0 Times in 0 Posts
Default

Yeah, emirates.com. Some airline company. But is there something I can or should do about this?

Also saw this in there, is this normal? I'm new to this so I don't really know what to look for as far as threats or what's normal.

Jun 14 00:10:30 webserv1 postfix/smtpd[4120]: connect from unknown[208.64.49.132]
Jun 14 00:10:30 webserv1 postfix/smtpd[4120]: setting up TLS connection from unknown[208.64.49.132]
Jun 14 00:10:30 webserv1 postfix/smtpd[4120]: TLS connection established from unknown[208.64.49.132]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Jun 14 00:10:30 webserv1 postfix/smtpd[4120]: A239C458359: client=unknown[208.64.49.132]
Reply With Quote
  #4  
Old 14th June 2007, 18:27
bschultz bschultz is offline
Senior Member
 
Join Date: Jul 2006
Posts: 221
Thanks: 11
Thanked 10 Times in 10 Posts
Default

If you look at the time stamps, they are doing this all in ONE second. That means they are trying to break in...but aren't getting in. You can try fail2ban or denyhosts to clean up some of this stuff, but they will always try.
Reply With Quote
The Following User Says Thank You to bschultz For This Useful Post:
mtyme (15th June 2007)
  #5  
Old 15th June 2007, 14:30
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

http://www.howtoforge.com/fail2ban_debian_etch
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
mtyme (15th June 2007)
  #6  
Old 15th June 2007, 16:06
mtyme mtyme is offline
Junior Member
 
Join Date: Jun 2007
Posts: 10
Thanks: 2
Thanked 0 Times in 0 Posts
Default

Thanks guys, is there going to be many differences in the guide if I'm using Ubuntu server? (won't be able to check it out till I get home tonight)
Reply With Quote
  #7  
Old 16th June 2007, 14:17
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
 
Default

Ubuntu and Debian are very similar, so this should work on Ubuntu, too.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hack: change Database prefix to domain name nilsk Tips/Tricks/Mods 7 8th March 2009 14:21
Hack attempts Andee63 General 12 29th March 2007 19:33
ispconfig server hack hans2512 General 3 15th March 2007 11:50
Constant Error: "[client 127.0.0.1] Attempt to serve directory: /var/www/html/" bpmee Server Operation 2 11th December 2006 16:15
Prevent BREAKIN ATTEMPT! IKShadow Installation/Configuration 6 22nd November 2006 22:15


All times are GMT +2. The time now is 14:09.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.