16
Kloxo-MR Technical Helps / OSSEC VPOPMAIL Bruteforce
« on: 2015-11-30, 13:20:25 »
I got this from OSSEC
OSSEC HIDS Notification.
2015 Nov 30 12:07:30
Received From: server2->/var/log/maillog
Rule: 9953 fired (level 10) -> "VPOPMAIL brute force (empty password)."
Portion of the log(s):
Nov 30 12:07:30 server2 vpopmail[15115]: vchkpw-smtp: null password given tester:118.102.202.131
Nov 30 12:07:20 server2 vpopmail[15100]: vchkpw-smtp: null password given testing:118.102.202.131
Nov 30 12:07:11 server2 vpopmail[15087]: vchkpw-smtp: null password given postmaster:118.102.202.131
Nov 30 12:07:01 server2 vpopmail[15015]: vchkpw-smtp: null password given administrator:118.102.202.131
Nov 30 12:06:51 server2 vpopmail[15003]: vchkpw-smtp: null password given info:118.102.202.131
Nov 30 12:06:42 server2 vpopmail[14988]: vchkpw-smtp: null password given mysql:118.102.202.131
Nov 30 12:06:33 server2 vpopmail[14980]: vchkpw-smtp: null password given postgres:118.102.202.131
Nov 30 12:06:22 server2 vpopmail[14971]: vchkpw-smtp: null password given oracle:118.102.202.131
Nov 30 12:06:13 server2 vpopmail[14948]: vchkpw-smtp: null password given postfix:118.102.202.131
Nov 30 12:06:03 server2 vpopmail[14935]: vchkpw-smtp: null password given root:118.102.202.131
--END OF NOTIFICATION
OSSEC HIDS Notification.
2015 Nov 30 12:07:30
Received From: server2->/var/log/maillog
Rule: 9953 fired (level 10) -> "VPOPMAIL brute force (empty password)."
Portion of the log(s):
Nov 30 12:07:30 server2 vpopmail[15115]: vchkpw-smtp: null password given tester:118.102.202.131
Nov 30 12:07:20 server2 vpopmail[15100]: vchkpw-smtp: null password given testing:118.102.202.131
Nov 30 12:07:11 server2 vpopmail[15087]: vchkpw-smtp: null password given postmaster:118.102.202.131
Nov 30 12:07:01 server2 vpopmail[15015]: vchkpw-smtp: null password given administrator:118.102.202.131
Nov 30 12:06:51 server2 vpopmail[15003]: vchkpw-smtp: null password given info:118.102.202.131
Nov 30 12:06:42 server2 vpopmail[14988]: vchkpw-smtp: null password given mysql:118.102.202.131
Nov 30 12:06:33 server2 vpopmail[14980]: vchkpw-smtp: null password given postgres:118.102.202.131
Nov 30 12:06:22 server2 vpopmail[14971]: vchkpw-smtp: null password given oracle:118.102.202.131
Nov 30 12:06:13 server2 vpopmail[14948]: vchkpw-smtp: null password given postfix:118.102.202.131
Nov 30 12:06:03 server2 vpopmail[14935]: vchkpw-smtp: null password given root:118.102.202.131
--END OF NOTIFICATION