[CentOS] pop3 attack

Ned Slider ned at unixmail.co.uk
Tue Dec 9 21:03:38 UTC 2008


Bill Campbell wrote:
> On Tue, Dec 09, 2008, James Pifer wrote:
>> I was looking at my maillog and it looks like someone is trying to get
>> into my pop3 server. 
>>
>> Dec  9 15:28:54 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2
>> Dec  9 15:29:08 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2
>> Dec  9 15:29:14 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2
>> Dec  9 15:29:18 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2
>> Dec  9 15:29:36 mailserver dovecot: pop3-login: Aborted login: user=<alfred>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2
>>
>> How worried should I bee about this? Any suggestions for dealing with
>> it?
> 
> If your users all have good passwords, it isn't much to worry about, but
> then users having good passwords is not all that common.
> 
> Once the cracker finds an account with a guessable password, they may well
> be able to get access to your system as that user via ssh, webmin, usermin,
> or other means.  Given shell access, the cracker can install user-level IRC
> servers or gain root access via exploits that only work for local users.  I
> have seen cases where crackers were able to change user shells and other
> information via usermin or webmin by exploiting vulnerabilities in system
> utilities thus gaining access to the system.
> 

I saw a similar thing attacking smtp-auth (SASL) recently. The moral 
being that any service that authenticates with a username/password is 
open to brute forcing attacks - it's not just ssh we need worry about.




More information about the CentOS mailing list