[CentOS] pop3 attack

Tue Dec 9 20:33:09 UTC 2008
Bill Campbell <centos at celestial.com>

On Tue, Dec 09, 2008, James Pifer wrote:
>I was looking at my maillog and it looks like someone is trying to get
>into my pop3 server. 
>
>Dec  9 15:28:54 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2
>Dec  9 15:29:08 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2
>Dec  9 15:29:14 mailserver dovecot: pop3-login: Aborted login: user=<alexis>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2
>Dec  9 15:29:18 mailserver dovecot: pop3-login: Aborted login: user=<alfonso>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2
>Dec  9 15:29:36 mailserver dovecot: pop3-login: Aborted login: user=<alfred>, method=PLAIN, rip=::ffff:66.167.184.203, lip=::ffff:192.168.1.2
>
>How worried should I bee about this? Any suggestions for dealing with
>it?

If your users all have good passwords, it isn't much to worry about, but
then users having good passwords is not all that common.

Once the cracker finds an account with a guessable password, they may well
be able to get access to your system as that user via ssh, webmin, usermin,
or other means.  Given shell access, the cracker can install user-level IRC
servers or gain root access via exploits that only work for local users.  I
have seen cases where crackers were able to change user shells and other
information via usermin or webmin by exploiting vulnerabilities in system
utilities thus gaining access to the system.

Setting all users shells to /bin/false where they don't need to have shell
access helps towards securing the systems, although this may not be
sufficient (I saw a system where /bin/false had been replaced with
/bin/bash).

You should also notify abuse at covad.com about these attempts from their
network sending them the log entries with the your local time zone so they
may be able to figure out which of there users was doing this.

Bill
-- 
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186

If you want government to intervene domestically, you're a liberal.  If you
want government to intervene overseas, you're a conservative.  If you want
government to intervene everywhere, you're a moderate.  If you don't want
government to intervene anywhere, you're an extremist -- Joseph Sobran