Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worrysome mail and mail.warn logs


  • Please log in to reply
1 reply to this topic

#1 thejestre

thejestre

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 02 September 2010 - 04:34 PM

So I'm pretty new at administering a Linux server but I know how to use Google and read how-to's. I have an Ubuntu 8.10 server with ISPConfig to help me administer the beast. So I was looking at the mail logs and noticed what I think is a lot of activity. I am the only one who is suppose to have access to email on it and I rarely ever send or receive email on it. There are a lot of entries in the log that worry me. Have spammers hacked me? Log snippet below.

Sep 2 14:00:01 up pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 2 14:00:01 up pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 2 14:00:01 up imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 2 14:00:01 up imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 2 14:00:01 up postfix/smtpd[10872]: connect from localhost.localdomain[127.0.0.1]
Sep 2 14:00:01 up postfix/smtpd[10872]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
Sep 2 14:00:01 up postfix/smtpd[10872]: disconnect from localhost.localdomain[127.0.0.1]
Sep 2 14:05:01 up pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 2 14:05:01 up pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 2 14:05:01 up imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 2 14:05:01 up imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 2 14:05:01 up postfix/smtpd[30022]: connect from localhost.localdomain[127.0.0.1]
Sep 2 14:05:01 up postfix/smtpd[30022]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
Sep 2 14:05:01 up postfix/smtpd[30022]: disconnect from localhost.localdomain[127.0.0.1]
Sep 2 14:10:01 up pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 2 14:10:01 up pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 2 14:10:01 up imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 2 14:10:01 up imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Sep 2 14:10:01 up postfix/smtpd[30180]: connect from localhost.localdomain[127.0.0.1]
Sep 2 14:10:01 up postfix/smtpd[30180]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
Sep 2 14:10:01 up postfix/smtpd[30180]: disconnect from localhost.localdomain[127.0.0.1]
Sep 2 14:15:02 up pop3d: Connection, ip=[::ffff:127.0.0.1]
Sep 2 14:15:02 up pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Sep 2 14:15:02 up imapd: Connection, ip=[::ffff:127.0.0.1]
Sep 2 14:15:02 up imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0

There are also similar entries for postfix/smtpd in the log but not in the snippet.
Is this normal activity?

Thanks in advance,

_theJestre
edit: also the below worries me and no that is not my IP address.
Aug 30 20:52:56 up amavis[12561]: (12561-18) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66. at /usr/sbin/amavisd-new line 2892.
Aug 30 20:52:57 up amavis[17640]: (17640-01) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at /usr/lib/perl/5.10/IO/File.pm line 66. at /usr/sbin/amavisd-new line 2892.
Aug 30 21:08:44 up spamd[3894]: prefork: empty order from parent at /usr/share/perl5/Mail/SpamAssassin/SpamdForkScaling.pm line 593.
Aug 30 21:08:44 up spamd[3895]: prefork: empty order from parent at /usr/share/perl5/Mail/SpamAssassin/SpamdForkScaling.pm line 593.
Aug 31 15:01:58 up pop3d: Maximum connection limit reached for ::ffff:12.154.157.147
Aug 31 15:02:29 up last message repeated 86 times
Aug 31 15:03:30 up last message repeated 272 times
Aug 31 15:03:52 up last message repeated 108 times
Aug 31 15:05:07 up last message repeated 54 times
Aug 31 15:06:53 up pop3d: Maximum connection limit reached for ::ffff:12.154.157.147

Edited by thejestre, 02 September 2010 - 05:07 PM.


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:37 PM

Posted 05 September 2010 - 01:48 PM

Those are all normal logs.

THis is what you should see if mail was going in and out:

Sep  5 14:12:03 cryptodan postfix/smtpd[13757]: connect from hermes.apache.org[140.211.11.3]
Sep  5 14:12:04 cryptodan postfix/smtpd[13757]: A1A6833BA6: client=hermes.apache.org[140.211.11.3]
Sep  5 14:12:04 cryptodan postfix/cleanup[13762]: A1A6833BA6: message-id=<AANLkTimWhsKucMBgmrkP20o+ystGdwy8Ji=A66-7LvtF@mail.gmail.com>
Sep  5 14:12:04 cryptodan postfix/qmgr[1122]: A1A6833BA6: from=<users-return-96789-cryptodan=cryptodan.net@httpd.apache.org>, size=5529, nrcpt=1 (queue active)
Sep  5 14:12:04 cryptodan postfix/local[13763]: A1A6833BA6: to=<cryptodan@cryptodan.net>, relay=local, delay=0.95, delays=0.94/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Sep  5 14:12:04 cryptodan postfix/qmgr[1122]: A1A6833BA6: removed
Sep  5 14:12:05 cryptodan postfix/smtpd[13757]: disconnect from hermes.apache.org[140.211.11.3]
Sep  5 14:15:25 cryptodan postfix/anvil[13760]: statistics: max connection rate 1/60s for (smtp:140.211.11.3) at Sep  5 14:12:03
Sep  5 14:15:25 cryptodan postfix/anvil[13760]: statistics: max connection count 1 for (smtp:140.211.11.3) at Sep  5 14:12:03
Sep  5 14:15:25 cryptodan postfix/anvil[13760]: statistics: max cache size 1 at Sep  5 14:12:03
Sep  5 14:57:51 cryptodan postfix/smtpd[13870]: connect from mxphxpool22.ebay.com[66.211.161.22]
Sep  5 14:57:53 cryptodan postfix/smtpd[13870]: 986CC33BA6: client=mxphxpool22.ebay.com[66.211.161.22]
Sep  5 14:57:53 cryptodan postfix/cleanup[13875]: 986CC33BA6: message-id=<6444393.1283699195899.JavaMail.ebba@sjcbat102>
Sep  5 14:57:53 cryptodan postfix/qmgr[1122]: 986CC33BA6: from=<ebay@ebay.com>, size=22871, nrcpt=1 (queue active)
Sep  5 14:57:53 cryptodan postfix/local[13876]: 986CC33BA6: to=<cryptodan@cryptodan.net>, orig_to=<dan502@woa.homeip.net>, relay=local, delay=2.2, delays=2.2/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Sep  5 14:57:53 cryptodan postfix/qmgr[1122]: 986CC33BA6: removed
Sep  5 14:57:53 cryptodan postfix/smtpd[13870]: disconnect from mxphxpool22.ebay.com[66.211.161.22]
Sep  5 15:01:13 cryptodan postfix/anvil[13873]: statistics: max connection rate 1/60s for (smtp:66.211.161.22) at Sep  5 14:57:51
Sep  5 15:01:13 cryptodan postfix/anvil[13873]: statistics: max connection count 1 for (smtp:66.211.161.22) at Sep  5 14:57:51
Sep  5 15:01:13 cryptodan postfix/anvil[13873]: statistics: max cache size 1 at Sep  5 14:57:51
Sep  5 17:40:50 cryptodan postfix/smtpd[14242]: connect from hermes.apache.org[140.211.11.3]
Sep  5 17:40:52 cryptodan postfix/smtpd[14242]: 434D633BA6: client=hermes.apache.org[140.211.11.3]
Sep  5 17:40:52 cryptodan postfix/cleanup[14246]: 434D633BA6: message-id=<4C83D862.7070300@gmail.com>
Sep  5 17:40:52 cryptodan postfix/qmgr[1122]: 434D633BA6: from=<users-return-96790-cryptodan=cryptodan.net@httpd.apache.org>, size=5586, nrcpt=1 (queue active)
Sep  5 17:40:52 cryptodan postfix/local[14247]: 434D633BA6: to=<cryptodan@cryptodan.net>, relay=local, delay=1.4, delays=1.4/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Sep  5 17:40:52 cryptodan postfix/qmgr[1122]: 434D633BA6: removed
Sep  5 17:40:52 cryptodan postfix/smtpd[14242]: disconnect from hermes.apache.org[140.211.11.3]
Sep  5 17:44:12 cryptodan postfix/anvil[14244]: statistics: max connection rate 1/60s for (smtp:140.211.11.3) at Sep  5 17:40:50
Sep  5 17:44:12 cryptodan postfix/anvil[14244]: statistics: max connection count 1 for (smtp:140.211.11.3) at Sep  5 17:40:50
Sep  5 17:44:12 cryptodan postfix/anvil[14244]: statistics: max cache size 1 at Sep  5 17:40:50
Sep  5 18:01:36 cryptodan postfix/smtpd[14289]: connect from hermes.apache.org[140.211.11.3]
Sep  5 18:01:37 cryptodan postfix/smtpd[14289]: 8120833BA6: client=hermes.apache.org[140.211.11.3]
Sep  5 18:01:37 cryptodan postfix/cleanup[14294]: 8120833BA6: message-id=<p05100302c8a98bd0c886@[192.168.1.14]>
Sep  5 18:01:37 cryptodan postfix/qmgr[1122]: 8120833BA6: from=<users-return-96791-cryptodan=cryptodan.net@httpd.apache.org>, size=3062, nrcpt=1 (queue active)
Sep  5 18:01:37 cryptodan postfix/local[14295]: 8120833BA6: to=<cryptodan@cryptodan.net>, relay=local, delay=0.95, delays=0.94/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Sep  5 18:01:37 cryptodan postfix/qmgr[1122]: 8120833BA6: removed
Sep  5 18:01:37 cryptodan postfix/smtpd[14289]: disconnect from hermes.apache.org[140.211.11.3]
Sep  5 18:04:57 cryptodan postfix/anvil[14292]: statistics: max connection rate 1/60s for (smtp:140.211.11.3) at Sep  5 18:01:36
Sep  5 18:04:57 cryptodan postfix/anvil[14292]: statistics: max connection count 1 for (smtp:140.211.11.3) at Sep  5 18:01:36
Sep  5 18:04:57 cryptodan postfix/anvil[14292]: statistics: max cache size 1 at Sep  5 18:01:36
Sep  5 18:09:47 cryptodan postfix/smtpd[14311]: connect from hermes.apache.org[140.211.11.3]
Sep  5 18:09:48 cryptodan postfix/smtpd[14311]: D8CA033BA6: client=hermes.apache.org[140.211.11.3]
Sep  5 18:09:49 cryptodan postfix/cleanup[14315]: D8CA033BA6: message-id=<AANLkTinPi4wSSSU8r2Gd-rLwjq=AurgVHakdY4WRzrNA@mail.gmail.com>
Sep  5 18:09:49 cryptodan postfix/qmgr[1122]: D8CA033BA6: from=<users-return-96792-cryptodan=cryptodan.net@httpd.apache.org>, size=3866, nrcpt=1 (queue active)
Sep  5 18:09:49 cryptodan postfix/local[14316]: D8CA033BA6: to=<cryptodan@cryptodan.net>, relay=local, delay=1.9, delays=1.9/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Sep  5 18:09:49 cryptodan postfix/qmgr[1122]: D8CA033BA6: removed
Sep  5 18:09:49 cryptodan postfix/smtpd[14311]: disconnect from hermes.apache.org[140.211.11.3]
Sep  5 18:13:09 cryptodan postfix/anvil[14313]: statistics: max connection rate 1/60s for (smtp:140.211.11.3) at Sep  5 18:09:47
Sep  5 18:13:09 cryptodan postfix/anvil[14313]: statistics: max connection count 1 for (smtp:140.211.11.3) at Sep  5 18:09:47
Sep  5 18:13:09 cryptodan postfix/anvil[14313]: statistics: max cache size 1 at Sep  5 18:09:47





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users