Have I been hacked?

Discussion in 'General' started by zogthegreat, Jul 22, 2010.

  1. zogthegreat

    zogthegreat New Member

    Hi everyone,

    I have a weird problem with one of the websites on my ISPConfig server.

    While going through the logs, I found this:

    [IMAPd] Logout stats:
    ====================
    User | Logouts | Downloaded | Mbox Size
    --------------------------------------- | ------- | ---------- | ----------
    bill@XXX.com[/email] | 7 | 20807 | 0
    calvin@YYY.com[/email] | 297 | 7556 | 0
    info@XXX.com[/email] | 7 | 1628 | 0
    ---------------------------------------------------------------------------
    311 | 29991 | 0


    The YYY.com site is my sons. He is not running an email client, ( Thunderbird, Evolution, etc) to check his emails, and he assures me that he is not logging into his account 300 times a day.

    This pattern of logouts has been going on at least a week, I am going through the older log files to see if there are more.

    Does anyone have any suggestions as to what is causing this?

    Thanks

    zog
     
  2. till

    till Super Moderator

    1) Is there a email account calvin@YYY.com in ISPConfig?
    2) Are there any successful logins logged for this account in the mail log? Maybe someone just tries to find the password witha brute force attack.
    3) Is your son using webmail? Such a pettern with many logouts is typical for a webmail session.
     
  3. zogthegreat

    zogthegreat New Member

    Hi till,

    Yes, there is an email account for calvin@YYY.com.

    As far as brute force, all I see in the maillog is multiple entries like this:

    Jul 22 15:43:46 server1 imapd: LOGIN, user=calvin@YYY.com, ip=[::ffff:127.0.0.1], port=[45412], protocol=IMAP
    Jul 22 15:43:46 server1 imapd: LOGOUT, user=calvin@YYY.com, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=87, sent=393, time=0

    There are about 13 entries an hour like this. Once again, my son states it is not him checking his mail, (currently, he is at work). We changed his email password twice in the last week.

    He is using webmail, but once again, not 300 times a day, (he tells me 3 or 4 times a day).

    I also have multiple entries like this:

    Jul 22 15:45:03 server1 postfix/smtpd[28628]: connect from localhost.localdomain[127.0.0.1]
    Jul 22 15:45:03 server1 postfix/smtpd[28628]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
    Jul 22 15:45:03 server1 postfix/smtpd[28628]: disconnect from localhost.localdomain[127.0.0.1]
    Jul 22 15:45:04 server1 pop3d: Connection, ip=[::ffff:127.0.0.1]
    Jul 22 15:45:04 server1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
    Jul 22 15:45:04 server1 imapd: Connection, ip=[::ffff:127.0.0.1]
    Jul 22 15:45:04 server1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
    Jul 22 15:48:47 server1 imapd: Connection, ip=[::ffff:127.0.0.1]

    also approx 13 per hour.

    All of the other email accounts are showing normal behavior.

    zog
     
  4. till

    till Super Moderator

    This is not an attack, it is the automatic system check which runs every 5 minutes.

    Ok, then the logins are from webmail. Webmail can produce dozens of logins and logouts per minute. One login / logout for every click or read or deleted message.

    So your setup and logs seem to be ok. Your system has not been hacked.
     

Share This Page