Bruteforce attack on my system.

spidersoftware · Oct 3rd 2014

Hello, the last week I found this on my log:

Code

Sep 25 21:36:03 servidor postfix/smtpd[3564]: sql plugin trying to open db 'myimscpdb' on host '127.0.0.1:3306'Sep 25 21:36:53 servidor postfix/smtpd[3571]: sql plugin Parse the username [email protected] 25 21:36:53 servidor postfix/smtpd[3571]: sql plugin try and connect to a hostSep 25 21:36:53 servidor postfix/smtpd[3571]: sql plugin trying to open db 'myimscpdb' on host '127.0.0.1:3306'Sep 25 21:36:53 servidor postfix/smtpd[3571]: begin transactionSep 25 21:36:53 servidor postfix/smtpd[3571]: sql plugin create statement from userPassword monkey wp.tvSep 25 21:36:53 servidor postfix/smtpd[3571]: sql plugin doing query SELECT mail_pass FROM mail_users WHERE mail_addr = '[email protected]';Sep 25 21:36:53 servidor postfix/smtpd[3571]: sql plugin: no result foundSep 25 21:36:53 servidor postfix/smtpd[3571]: commit transactionSep 25 21:36:53 servidor postfix/smtpd[3571]: sql plugin Parse the username [email protected] 25 21:36:53 servidor postfix/smtpd[3571]: sql plugin try and connect to a hostSep 25 21:36:53 servidor postfix/smtpd[3571]: sql plugin trying to open db 'myimscpdb' on host '127.0.0.1:3306'Sep 25 21:37:48 servidor postfix/smtpd[3564]: sql plugin Parse the username [email protected] 25 21:37:48 servidor postfix/smtpd[3564]: sql plugin try and connect to a hostSep 25 21:37:48 servidor postfix/smtpd[3564]: sql plugin trying to open db 'myimscpdb' on host '127.0.0.1:3306'Sep 25 21:37:48 servidor postfix/smtpd[3564]: begin transactionSep 25 21:37:48 servidor postfix/smtpd[3564]: sql plugin create statement from userPassword monkey wp.tvSep 25 21:37:48 servidor postfix/smtpd[3564]: sql plugin doing query SELECT mail_pass FROM mail_users WHERE mail_addr = '[email protected]';Sep 25 21:37:48 servidor postfix/smtpd[3564]: sql plugin: no result foundSep 25 21:37:48 servidor postfix/smtpd[3564]: commit transactionSep 25 21:37:48 servidor postfix/smtpd[3564]: sql plugin Parse the username [email protected] 25 21:37:48 servidor postfix/smtpd[3564]: sql plugin try and connect to a hostSep 25 21:37:48 servidor postfix/smtpd[3564]: sql plugin trying to open db 'myimscpdb' on host '127.0.0.1:3306'

This is a brute force attempt , but I don't know how its possible, because I don't have installed any CMS or Web on the panel.

Only is a Debian base update and only the panel is installed.

Now the bruteforce attack is stopped, but only any time at day, for example today:
You can see here:

Code

Oct 3 20:00:08 servidor CRON[24494]: pam_unix(cron:session): session closed for user root
Oct 3 20:04:08 servidor postfix/smtpd[24535]: sql plugin try and connect to a host
Oct 3 20:04:08 servidor postfix/smtpd[24535]: sql plugin trying to open db 'myimscpdb' on host '127.0.0.1:3306'
Oct 3 20:04:08 servidor postfix/smtpd[24534]: begin transaction
Oct 3 20:04:08 servidor postfix/smtpd[24535]: begin transaction
Oct 3 20:04:08 servidor postfix/smtpd[24534]: sql plugin create statement from userPassword amanda servidor.midominio.es
Oct 3 20:04:08 servidor postfix/smtpd[24534]: sql plugin doing query SELECT mail_pass FROM mail_users WHERE mail_addr = '[email protected]';
Oct 3 20:04:08 servidor postfix/smtpd[24535]: sql plugin create statement from userPassword amanda servidor.midominio.es
Oct 3 20:04:08 servidor postfix/smtpd[24535]: sql plugin doing query SELECT mail_pass FROM mail_users WHERE mail_addr = '[email protected]';
Oct 3 20:04:08 servidor postfix/smtpd[24534]: sql plugin: no result found
Oct 3 20:04:08 servidor postfix/smtpd[24534]: commit transaction
Oct 3 20:04:08 servidor postfix/smtpd[24535]: sql plugin Parse the username amanda
Oct 3 20:04:08 servidor postfix/smtpd[24535]: sql plugin try and connect to a host
Oct 3 20:52:28 servidor postfix/smtpd[25273]: sql auxprop plugin using mysql engine
Oct 3 20:52:28 servidor postfix/smtpd[25273]: sql plugin Parse the username andrew
Oct 3 20:52:28 servidor postfix/smtpd[25273]: sql plugin try and connect to a host
Oct 3 20:52:28 servidor postfix/smtpd[25273]: sql plugin trying to open db 'myimscpdb' on host '127.0.0.1:3306'
Oct 3 20:52:28 servidor postfix/smtpd[25273]: begin transaction
Oct 3 20:52:28 servidor postfix/smtpd[25273]: sql plugin create statement from userPassword andrew servidor.midominio.es
Oct 3 20:52:28 servidor postfix/smtpd[25273]: sql plugin doing query SELECT mail_pass FROM mail_users WHERE mail_addr = '[email protected]';
Oct 3 20:52:28 servidor postfix/smtpd[25273]: sql plugin: no result found
Oct 3 20:52:28 servidor postfix/smtpd[25273]: commit transaction
Oct 3 20:52:28 servidor postfix/smtpd[25273]: sql plugin Parse the username andrew
Oct 3 21:00:38 servidor postfix/smtpd[25347]: sql auxprop plugin using mysql engine
Oct 3 21:04:11 servidor sshd[25362]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.113.10.13 user=root
Oct 3 21:04:13 servidor sshd[25362]: Failed password for root from 220.113.10.13 port 41857 ssh2
Oct 3 21:04:13 servidor sshd[25362]: Received disconnect from 220.113.10.13: 11: Bye Bye [preauth]
Oct 3 21:05:41 servidor postfix/smtpd[25371]: sql auxprop plugin using mysql engine
root@servidor:~#

Display More

I use tcpdump for capture data on local port 3306, but dont find nothing, too on 80, but equal.

I dont know how sqlpluging receive this information, a vuln on email system ??? but i dont see any anormal on web port, or this data parsed.

I know that use my server hostname "servidor" and with this data make the query, but cant optain the correct
:-).

Any suggestion ???

Thank you in advance.
Sorry for my English

My system.
VPS Debian 7 wheezy Update at today.
Linux servidor 2.6.32-042stab092.3 #1 SMP Sun Jul 20 13:27:24 MSK 2014 x86_64 GNU/Linux
i-MSCP Git 1.1.x
Build: 20140915
Codename: Eagle
SQL_SERVER = mysql_5.5
PO_SERVER = courier
NAMED_SERVER = bind
HTTPD_SERVER = apache_php_fpm
FTPD_SERVER = proftpd
MTA_SERVER = postfix

**Nuxwin** · Oct 3rd 2014

Hello ;

The sql plugin as you say is used by the SASL layer for SMTP authentication. You can install and configure fail2ban if really needed.

sport80 · Oct 4th 2014

Hello.
I confirm, I also use fail2ban to fight bruteforce attacks

spidersoftware · Oct 7th 2014

Hello again, thanks for recommendations :-).

But I think don't understand my problem, i think is my English, sorry.

When I try to enter a bad user and pass to simulate bruteforce on my web panel, I don't see sql query.

I think this SQL query are for obtain the user and pass from a user. Please confirm this, I am not a sql expert. :(.

How I can reproduce this sql query ??? I cant on /webmail. need use a external mail client ???

Thanks for the responses, regards.

mafioso · Oct 7th 2014

Quote

postfix/smtpd

For the smtp connection you need a user and pwd. Postfix uses the imscp db to get the users/mailadresses & passwords. So the bruteforce attack should be on your mailserver (if it is).
Just use fail2ban, it should mostly fix such problems.

Code

aptitude install fail2ban

spidersoftware · Oct 7th 2014

Yes, thanks for the info, is normal this on logs.

I go to fix, add postfix to my fail2ban cfg.

Thanks for confirmation.

All solved Thanks.

Regards.

Bruteforce attack on my system.

Share

Daily visitors