Attack from logwatch@example.com

danardf

Joined
Dec 3, 2007
Messages
8,069
Likes
10
Points
88
#1
Since some days, I've lots of mail from logwatch@example.com
Code:
 ################### Logwatch 7.3 (03/24/06) #################### 
        Processing Initiated: Sat May  8 04:02:08 2010
        Date Range Processed: yesterday
                              ( 2010-May-07 )
                              Period is day.
      Detail Level of Output: 0
              Type of Output: unformatted
           Logfiles for Host: My.host.... 
  ################################################################## 
 
 --------------------- httpd Begin ------------------------ 

 Requests with error response codes
    404 Not Found
       /modules/pbxadmin/js/script.legacy.js: 21 Time(s)
 
 ---------------------- httpd End ------------------------- 

 
 --------------------- pam_unix Begin ------------------------ 

 runuser-l:
    Unknown Entries:
       session closed for user cyrus: 1 Time(s)
       session opened for user cyrus by (uid=0): 1 Time(s)
 
 sshd:
    Authentication Failures:
       root (114.80.166.219): 147 Time(s)
       root (76.73.39.90): 5 Time(s)
       unknown (114.80.166.219): 3 Time(s)
    Invalid Users:
       Unknown Account: 3 Time(s)
 
 vsftpd:
    Unknown Entries:
       authentication failure; logname= uid=0 euid=0 tty=ftp ruser=xxxxxx rhost=h20-41.infocommsoft.com
: 3111 Time(s)
       check pass; user unknown: 3111 Time(s)
 
 
 ---------------------- pam_unix End ------------------------- 

 
 --------------------- postfix Begin ------------------------ 
30888413 bytes transferred
 486 messages sent
 4 messages expired and returned to sender
 58 messages removed from queue
 
 Connections lost:
    Connection lost while CONNECT : 1 Time(s)
    Connection lost while RCPT : 1 Time(s)
 
 
 **Unmatched Entries**
 
 07C8A7B1562: sender non-delivery notification: 859587B10BB
 375097B2414: sender non-delivery notification: A04B67B1562
 NOQUEUE: reject: RCPT from 123-204-69-243.adsl.dynamic.seed.net.tw[123.204.69.243]:
554 5.7.1 <sseenndd0101@yahoo.com.hk>: Relay access denied; from=<h6koo9b46u@yahoo.com.tw>
to=<sseenndd0101@yahoo.com.hk> proto=SMTP helo=<62.147.210.110>
 
 ---------------------- postfix End ------------------------- 

 
 --------------------- samba Begin ------------------------ 

 
 **Unmatched Entries**
 printing/print_cups.c:cups_connect(69)  Unable to connect to CUPS server localhost:631
- Connexion refus
 

Awesomo

Joined
Nov 5, 2009
Messages
32
Likes
0
Points
0
#2
I guess you are serious... Example.com is what your domain defaults to on a fresh installation of Cent OS. Logwatch is something that also runs on a default installation of Cent OS, sending emails with different statistics about certain services running on your server. I'd be more concerned with all those attempts on the root account. Consider installing Fail2Ban. After a few attempts it will blacklist the IP for a period of time.
 

danardf

Joined
Dec 3, 2007
Messages
8,069
Likes
10
Points
88
#3
Thanks for your reply.

I know that some scipt into the crontab with this around 4h25 AM. But that's all and nothing is bad.
But it's only that:

Code:
NOQUEUE: reject: RCPT from 123-204-69-243.adsl.dynamic.seed.net.tw[123.204.69.243]:
554 5.7.1 <sseenndd0101@yahoo.com.hk>: Relay access denied; from=<h6koo9b46u@yahoo.com.tw>
to=<sseenndd0101@yahoo.com.hk> proto=SMTP helo=<xxxxxxxxxxx>
These mails seems are SPAM. But, these mails are rejected.
ELse, I deleted the job : /etc/cron.daily/0logwatch.old -> /usr/share/logwatch/scripts/logwatch.pl

Today, I've not any message into the queue.(postfix).
 

nihastkd

Joined
Oct 20, 2010
Messages
25
Likes
0
Points
0
#4
i have also the same problem...

i have been received around 3 mails per day.
These mails are seems to be very useful,it contains the unsuccessfull attempsts and some logs.
Is this mails are fake.?
The real thing is
I didn't create any domain or mail account in server.
But i got some mails from logwatch@example.com
to a non existing address root@xxxxxxxxxxx.dyndns.org...
But some reasons these mails are diverted to my mail account.
and this xxxxxxxxxx.dyndns.org is using our router to trace the ip...

I am also new in Elastix.

So how i can stop these mails ??

And why this happens??
Please help me...
 

Lee Sharp

Joined
Sep 28, 2010
Messages
332
Likes
0
Points
0
#5
You can modify the configuration of logwatch... Go to /etc/logwatch/conf and edit logwatch.conf using the default at /usr/share/logwatch/default.conf/logwatch.conf as a template. But, you might also want to FIX THE PROBLEM before someone hacks into your box and commits scams traceable back to you.
 

nihastkd

Joined
Oct 20, 2010
Messages
25
Likes
0
Points
0
#6
Thanks Lee..

i changed the line Mailto = nihas.n@mymaildomain.com instead of the default mailto = root
in /etc/logwatch/conf and edit logwatch.conf file.

but i could received the same mails daily...

At last i made some changes in the postfix/main.cf file configuration
But now the problem is we can't get any voice mail email notification...

i hardly believe some problem in my editing in main.cf...
can you help me what are the required details for sending out these voice mail notifications
?
 

Lee Sharp

Joined
Sep 28, 2010
Messages
332
Likes
0
Points
0
#7
The mail server uses the same engine to send out logwatch as it does to send out voicemail. If you did something to stop one, it is probably what stopped the other.
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,902
Messages
130,887
Members
17,565
Latest member
omarmenichetti
Top