[BlueOnyx:07948] Possible Attack

Chris cwallace at wcnet.org
Mon Aug 1 19:35:49 -05 2011 

Logwatch 7.3 Automount Begin Unmatched Entries
>> /etc/auto.net: line 40: --no-headers: command not found: 1 Time(s)
key ".ftpaccess" not found in map source(s).: 1 Time(s)
Automount End Dovecot Begin Unmatched Entries
    dovecot: imap-login: Aborted login (no auth attempts): rip=127.0.0.1, 
lip=127.0.0.1, secured: 96 Time(s)
    dovecot: imap-login: Disconnected (auth failed, 1 attempts): 
user=<Administrator>, method=PLAIN, rip=64.221.129.242, lip=192.168.1.10: 43 
Time(s)
user=<zackary>, method=PLAIN, rip=64.221.129.242, lip=192.168.1.10: 33 Time(s)
    dovecot: pop3-login: Aborted login (no auth attempts): rip=127.0.0.1, 
lip=127.0.0.1, secured: 96 Time(s)
    dovecot: pop3-login: Aborted login (no auth attempts): rip=64.221.129.242, 
lip=192.168.1.10: 1083 Time(s)
    dovecot: pop3-login: Disconnected (auth failed, 1 attempts): 
user=<trojan>, method=PLAIN, rip=64.221.129.242, lip=192.168.1.10: 1 Time(s)
    dovecot: pop3-login: Disconnected (auth failed, 1 attempts): 
Dovecot End pam_unix Begin
dovecot:
    Authentication Failures:
       help rhost=64.221.129.242 : 1 Time(s)
       support rhost=64.221.129.242 : 1 Time(s)
    Unknown Entries:
       check pass; user unknown: 2 Time(s)
 proftpd:
    Unknown Entries:
       session closed for user admin: 1 Time(s)
       session opened for user admin by (uid=0): 1 Time(s)
pam_unix End 
proftpd-messages Begin
 Unmatched Entries
 97 Ignored Lines
proftpd-messages End
Connections (secure-log) Begin
 Refused Connections:
    Service dovecot:
       64.221.129.242: 23272 Time(s)
Connections (secure-log) End
sendmail Begin
 SMTP SESSION, MESSAGE, OR RECIPIENT ERRORS
 WARNING!!!!  Possible Attack:
    Attempt from [78.100.55.218] with:
       command=AUTH, count=6: 648 Time(s)
     Total:  648 Time(s)
 Unmatched Entries
    STARTTLS=server, relay=pershing.verizonwireless.com [162.115.228.36], 
field=cn_issuer, status=failed to extract CN: 1 Time(s)
sendmail End

   I have been getting a few of these a day but latly been getting a lot.
Was wondering if there is a way to perm block an ip address or range.
Also noticed that my mail hasnt been showing the blocked mail from a rbl now.
The log shows possible break in so not sure if it is or not or how to find out.
Thanks in advance for any help.
Here is a copy of my shortened logs that had over 23k login's in under 1 day.

More information about the Blueonyx mailing list