Attack from logwatch@example.com

Discussion in 'General' started by danardf, May 12, 2010.

  1. danardf

    Joined:
    Dec 3, 2007
    Messages:
    8,069
    Likes Received:
    12
    Since some days, I've lots of mail from logwatch@example.com
    Code:
     ################### Logwatch 7.3 (03/24/06) #################### 
            Processing Initiated: Sat May  8 04:02:08 2010
            Date Range Processed: yesterday
                                  ( 2010-May-07 )
                                  Period is day.
          Detail Level of Output: 0
                  Type of Output: unformatted
               Logfiles for Host: My.host.... 
      ################################################################## 
     
     --------------------- httpd Begin ------------------------ 
    
     Requests with error response codes
        404 Not Found
           /modules/pbxadmin/js/script.legacy.js: 21 Time(s)
     
     ---------------------- httpd End ------------------------- 
    
     
     --------------------- pam_unix Begin ------------------------ 
    
     runuser-l:
        Unknown Entries:
           session closed for user cyrus: 1 Time(s)
           session opened for user cyrus by (uid=0): 1 Time(s)
     
     sshd:
        Authentication Failures:
           root (114.80.166.219): 147 Time(s)
           root (76.73.39.90): 5 Time(s)
           unknown (114.80.166.219): 3 Time(s)
        Invalid Users:
           Unknown Account: 3 Time(s)
     
     vsftpd:
        Unknown Entries:
           authentication failure; logname= uid=0 euid=0 tty=ftp ruser=xxxxxx rhost=h20-41.infocommsoft.com
    : 3111 Time(s)
           check pass; user unknown: 3111 Time(s)
     
     
     ---------------------- pam_unix End ------------------------- 
    
     
     --------------------- postfix Begin ------------------------ 
    30888413 bytes transferred
     486 messages sent
     4 messages expired and returned to sender
     58 messages removed from queue
     
     Connections lost:
        Connection lost while CONNECT : 1 Time(s)
        Connection lost while RCPT : 1 Time(s)
     
     
     **Unmatched Entries**
     
     07C8A7B1562: sender non-delivery notification: 859587B10BB
     375097B2414: sender non-delivery notification: A04B67B1562
     NOQUEUE: reject: RCPT from 123-204-69-243.adsl.dynamic.seed.net.tw[123.204.69.243]:
    554 5.7.1 <sseenndd0101@yahoo.com.hk>: Relay access denied; from=<h6koo9b46u@yahoo.com.tw>
    to=<sseenndd0101@yahoo.com.hk> proto=SMTP helo=<62.147.210.110>
     
     ---------------------- postfix End ------------------------- 
    
     
     --------------------- samba Begin ------------------------ 
    
     
     **Unmatched Entries**
     printing/print_cups.c:cups_connect(69)  Unable to connect to CUPS server localhost:631
    - Connexion refus
     
  2. Awesomo

    Joined:
    Nov 5, 2009
    Messages:
    32
    Likes Received:
    0
    I guess you are serious... Example.com is what your domain defaults to on a fresh installation of Cent OS. Logwatch is something that also runs on a default installation of Cent OS, sending emails with different statistics about certain services running on your server. I'd be more concerned with all those attempts on the root account. Consider installing Fail2Ban. After a few attempts it will blacklist the IP for a period of time.
     
  3. danardf

    Joined:
    Dec 3, 2007
    Messages:
    8,069
    Likes Received:
    12
    Thanks for your reply.

    I know that some scipt into the crontab with this around 4h25 AM. But that's all and nothing is bad.
    But it's only that:

    Code:
    NOQUEUE: reject: RCPT from 123-204-69-243.adsl.dynamic.seed.net.tw[123.204.69.243]:
    554 5.7.1 <sseenndd0101@yahoo.com.hk>: Relay access denied; from=<h6koo9b46u@yahoo.com.tw>
    to=<sseenndd0101@yahoo.com.hk> proto=SMTP helo=<xxxxxxxxxxx>
    These mails seems are SPAM. But, these mails are rejected.
    ELse, I deleted the job : /etc/cron.daily/0logwatch.old -> /usr/share/logwatch/scripts/logwatch.pl

    Today, I've not any message into the queue.(postfix).
     
  4. nihastkd

    Joined:
    Oct 20, 2010
    Messages:
    25
    Likes Received:
    0
    i have also the same problem...

    i have been received around 3 mails per day.
    These mails are seems to be very useful,it contains the unsuccessfull attempsts and some logs.
    Is this mails are fake.?
    The real thing is
    I didn't create any domain or mail account in server.
    But i got some mails from logwatch@example.com
    to a non existing address root@xxxxxxxxxxx.dyndns.org...
    But some reasons these mails are diverted to my mail account.
    and this xxxxxxxxxx.dyndns.org is using our router to trace the ip...

    I am also new in Elastix.

    So how i can stop these mails ??

    And why this happens??
    Please help me...
     
  5. Lee Sharp

    Joined:
    Sep 28, 2010
    Messages:
    332
    Likes Received:
    0
    You can modify the configuration of logwatch... Go to /etc/logwatch/conf and edit logwatch.conf using the default at /usr/share/logwatch/default.conf/logwatch.conf as a template. But, you might also want to FIX THE PROBLEM before someone hacks into your box and commits scams traceable back to you.
     
  6. nihastkd

    Joined:
    Oct 20, 2010
    Messages:
    25
    Likes Received:
    0
    Thanks Lee..

    i changed the line Mailto = nihas.n@mymaildomain.com instead of the default mailto = root
    in /etc/logwatch/conf and edit logwatch.conf file.

    but i could received the same mails daily...

    At last i made some changes in the postfix/main.cf file configuration
    But now the problem is we can't get any voice mail email notification...

    i hardly believe some problem in my editing in main.cf...
    can you help me what are the required details for sending out these voice mail notifications
    ?
     
  7. Lee Sharp

    Joined:
    Sep 28, 2010
    Messages:
    332
    Likes Received:
    0
    The mail server uses the same engine to send out logwatch as it does to send out voicemail. If you did something to stop one, it is probably what stopped the other.
     

Share This Page