Hello, the last week I found this on my log:
- Sep 25 21:36:03 servidor postfix/smtpd[3564]: sql plugin trying to open db 'myimscpdb' on host '127.0.0.1:3306'Sep 25 21:36:53 servidor postfix/smtpd[3571]: sql plugin Parse the username monkey@wp.tvSep 25 21:36:53 servidor postfix/smtpd[3571]: sql plugin try and connect to a hostSep 25 21:36:53 servidor postfix/smtpd[3571]: sql plugin trying to open db 'myimscpdb' on host '127.0.0.1:3306'Sep 25 21:36:53 servidor postfix/smtpd[3571]: begin transactionSep 25 21:36:53 servidor postfix/smtpd[3571]: sql plugin create statement from userPassword monkey wp.tvSep 25 21:36:53 servidor postfix/smtpd[3571]: sql plugin doing query SELECT mail_pass FROM mail_users WHERE mail_addr = 'monkey@wp.tv';Sep 25 21:36:53 servidor postfix/smtpd[3571]: sql plugin: no result foundSep 25 21:36:53 servidor postfix/smtpd[3571]: commit transactionSep 25 21:36:53 servidor postfix/smtpd[3571]: sql plugin Parse the username monkey@wp.tvSep 25 21:36:53 servidor postfix/smtpd[3571]: sql plugin try and connect to a hostSep 25 21:36:53 servidor postfix/smtpd[3571]: sql plugin trying to open db 'myimscpdb' on host '127.0.0.1:3306'Sep 25 21:37:48 servidor postfix/smtpd[3564]: sql plugin Parse the username monkey@wp.tvSep 25 21:37:48 servidor postfix/smtpd[3564]: sql plugin try and connect to a hostSep 25 21:37:48 servidor postfix/smtpd[3564]: sql plugin trying to open db 'myimscpdb' on host '127.0.0.1:3306'Sep 25 21:37:48 servidor postfix/smtpd[3564]: begin transactionSep 25 21:37:48 servidor postfix/smtpd[3564]: sql plugin create statement from userPassword monkey wp.tvSep 25 21:37:48 servidor postfix/smtpd[3564]: sql plugin doing query SELECT mail_pass FROM mail_users WHERE mail_addr = 'monkey@wp.tv';Sep 25 21:37:48 servidor postfix/smtpd[3564]: sql plugin: no result foundSep 25 21:37:48 servidor postfix/smtpd[3564]: commit transactionSep 25 21:37:48 servidor postfix/smtpd[3564]: sql plugin Parse the username monkey@wp.tvSep 25 21:37:48 servidor postfix/smtpd[3564]: sql plugin try and connect to a hostSep 25 21:37:48 servidor postfix/smtpd[3564]: sql plugin trying to open db 'myimscpdb' on host '127.0.0.1:3306'
This is a brute force attempt , but I don't know how its possible, because I don't have installed any CMS or Web on the panel.
Only is a Debian base update and only the panel is installed.
Now the bruteforce attack is stopped, but only any time at day, for example today:
You can see here:
- Oct 3 20:00:08 servidor CRON[24494]: pam_unix(cron:session): session closed for user root
- Oct 3 20:04:08 servidor postfix/smtpd[24535]: sql plugin try and connect to a host
- Oct 3 20:04:08 servidor postfix/smtpd[24535]: sql plugin trying to open db 'myimscpdb' on host '127.0.0.1:3306'
- Oct 3 20:04:08 servidor postfix/smtpd[24534]: begin transaction
- Oct 3 20:04:08 servidor postfix/smtpd[24535]: begin transaction
- Oct 3 20:04:08 servidor postfix/smtpd[24534]: sql plugin create statement from userPassword amanda servidor.midominio.es
- Oct 3 20:04:08 servidor postfix/smtpd[24534]: sql plugin doing query SELECT mail_pass FROM mail_users WHERE mail_addr = 'amanda@servidor.midominio.es';
- Oct 3 20:04:08 servidor postfix/smtpd[24535]: sql plugin create statement from userPassword amanda servidor.midominio.es
- Oct 3 20:04:08 servidor postfix/smtpd[24535]: sql plugin doing query SELECT mail_pass FROM mail_users WHERE mail_addr = 'amanda@servidor.midominio.es';
- Oct 3 20:04:08 servidor postfix/smtpd[24534]: sql plugin: no result found
- Oct 3 20:04:08 servidor postfix/smtpd[24534]: commit transaction
- Oct 3 20:04:08 servidor postfix/smtpd[24535]: sql plugin Parse the username amanda
- Oct 3 20:04:08 servidor postfix/smtpd[24535]: sql plugin try and connect to a host
- Oct 3 20:52:28 servidor postfix/smtpd[25273]: sql auxprop plugin using mysql engine
- Oct 3 20:52:28 servidor postfix/smtpd[25273]: sql plugin Parse the username andrew
- Oct 3 20:52:28 servidor postfix/smtpd[25273]: sql plugin try and connect to a host
- Oct 3 20:52:28 servidor postfix/smtpd[25273]: sql plugin trying to open db 'myimscpdb' on host '127.0.0.1:3306'
- Oct 3 20:52:28 servidor postfix/smtpd[25273]: begin transaction
- Oct 3 20:52:28 servidor postfix/smtpd[25273]: sql plugin create statement from userPassword andrew servidor.midominio.es
- Oct 3 20:52:28 servidor postfix/smtpd[25273]: sql plugin doing query SELECT mail_pass FROM mail_users WHERE mail_addr = 'andrew@servidor.midominio.es';
- Oct 3 20:52:28 servidor postfix/smtpd[25273]: sql plugin: no result found
- Oct 3 20:52:28 servidor postfix/smtpd[25273]: commit transaction
- Oct 3 20:52:28 servidor postfix/smtpd[25273]: sql plugin Parse the username andrew
- Oct 3 21:00:38 servidor postfix/smtpd[25347]: sql auxprop plugin using mysql engine
- Oct 3 21:04:11 servidor sshd[25362]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.113.10.13 user=root
- Oct 3 21:04:13 servidor sshd[25362]: Failed password for root from 220.113.10.13 port 41857 ssh2
- Oct 3 21:04:13 servidor sshd[25362]: Received disconnect from 220.113.10.13: 11: Bye Bye [preauth]
- Oct 3 21:05:41 servidor postfix/smtpd[25371]: sql auxprop plugin using mysql engine
- root@servidor:~#
I use tcpdump for capture data on local port 3306, but dont find nothing, too on 80, but equal.
I dont know how sqlpluging receive this information, a vuln on email system ??? but i dont see any anormal on web port, or this data parsed.
I know that use my server hostname "servidor" and with this data make the query, but cant optain the correct
:-).
Any suggestion ???
Thank you in advance.
Sorry for my English
My system.
VPS Debian 7 wheezy Update at today.
Linux servidor 2.6.32-042stab092.3 #1 SMP Sun Jul 20 13:27:24 MSK 2014 x86_64 GNU/Linux
i-MSCP Git 1.1.x
Build: 20140915
Codename: Eagle
SQL_SERVER = mysql_5.5
PO_SERVER = courier
NAMED_SERVER = bind
HTTPD_SERVER = apache_php_fpm
FTPD_SERVER = proftpd
MTA_SERVER = postfix