Brute Force Attack coming from IP: 127.0.0.1

[Rookie]

Hi guys,
I have a automated email coming from Direct Admin saying this:

+++++++
A new message or response with subject:

Brute-Force Attack detected in service log from IP(s) 127.0.0.1

has arrived for you to view.
Follow this link to view it:
+++++++

I usually go to my Firewall and just blacklist the IP that is causing the problem, but I can't ban the 127.0.0.1 because it's usually used by servers.

Is this something I should try and fix? Should I be concerned about this (if it is infact a Brute-Force Attack)? Or can I just leave it?

Sorry if this is a silly question, it's just that I'm not sure what to do. I'm not very good at all this IT stuff, sorry...

Any info or tip would be good, thanks...

Kind regards
Rookie

 

[nobaloney]

127.0.0.1 is the specific server that's notifying you (each server calls itself 127.0.0.1).

Did you check to see what might be causing it?

Jeff

 

[zEitEr]

What service is attacked? If dovecot then it might be a brute forcing via a webmail.

 

[Rookie]

Brute Force Attack from IP: 127.0.0.1

127.0.0.1 is the specific server that's notifying you (each server calls itself 127.0.0.1).

Did you check to see what might be causing it?

Jeff

Hi Jeff,
Sorry for the late reply, Ive been in hospital but on the mend now.

It's strange because I am getting about 50 emails a day from DA saying that there is a brute force attack being done on the IP Address: 127.0.0.1

To tell you the truth, I'm no expert when it comes to this so I don't actually know where to look (or what I should be looking for).

I do have an IT guy that can help me out but he is still away on holiday at the moment so I posted the problem on here to see if anyone else had experienced the same problem and had a simple answer...

Regards
Rookie

 

[Rookie]

Brute Force Attack on IP: 127.0.0.1

What service is attacked? If dovecot then it might be a brute forcing via a webmail.

Hi Alex,
Thank for your reply...

I am all new to this so I am actually not sure how to find out what is being attacked (or from where). This is the email I receive from Direct Admin:

+++++++++++++++++++
+++++++++++++++++++
-----Original Message-----
From: admin [mailto:[email protected]]
Sent: Tuesday, 27 September 2011 4:40 PM
To: admin
Subject: New Message: Brute-Force Attack detected in service log from IP(s) 127.0.0.1 on User(s) daiquirig1


A new message or response with subject:

Brute-Force Attack detected in service log from IP(s) 127.0.0.1 on User(s) daiquirig1

has arrived for you to view.
Follow this link to view it:

http://xxxxxxxxxxxxxxx.com:2222/CMD_TICKET?action=view&number=xxxxxxxx&type=ticket


======================================================
Automatically generated email produced by DirectAdmin 1.39.3

Do Not Reply.
+++++++++++++++++++
+++++++++++++++++++


Sometimes it says: Brute-Force Attack detected in service log from IP(s) 127.0.0.1

Sometimes it says: Brute-Force Attack detected in service log from IP(s) 127.0.0.1 on User(s) daiquirig1

Othertimes it says: Brute-Force Attack detected in service log from IP(s) 127.0.0.1 on User(s) <some-other-user>

By the way, I get attacks from different IP's and I simply add them to my firewall and they stop, but I have never had an attack on 127.0.0.1 (it's strange).

I hope this helps...

Regards
Rookie

 

[zEitEr]

Hello,

Login into directadmin as Admin user -> Brute Force Monitor

Click on 127.0.0.1 in "Failed Logins - Click IP address to filter results" section.

Then read column "Filter", there can be: dovecot, proftpd, exim. Post here some lines from there.

 

[Rookie]

Hello,

Login into directadmin as Admin user -> Brute Force Monitor

Click on 127.0.0.1 in "Failed Logins - Click IP address to filter results" section.

Then read column "Filter", there can be: dovecot, proftpd, exim. Post here some lines from there.

Thanks for such a quick response Alex,
Here is the readout:

+++++++++++++++++
+++++++++++++++++
Sep 20 00:54:21 server proftpd[1095]: xxx.xxx.xxx.xxx :ffff:127.0.0.1[::ffff:127.0.0.1]) - USER daiquirig1 (Login failed): Incorrect password.
+++++++++++++++++
+++++++++++++++++

Regards
Rookie

 

[zEitEr]

OK, I guess one of your customers is trying to find a password to your account daiquirig1. By the way, does username change or it stays the same in all lines?

 

[Rookie]

OK, I guess one of your customers is trying to find a password to your account daiquirig1. By the way, does username change or it stays the same in all lines?

Yes, the username stays the same in all lines.

You have given me an idea!
I do know that this particular user was running a Database that their IT Person could log in to via "remote access" so maybe this could be be the problem. The old IT Person may still be trying to access their DB remotely (It may be an automated feature from their old IT Person). I will go through my emails to him and find his IP Address and remove that IP from my firewall to see if that helps.

Thanks for your help here. I really appreciate it...

Regards
Rookie

 

[pucky]

Im getting blasted by attacks on 127.0.0.1 right now. Thousands. Iv had to limit connection to 20 to combat it. Im also seeing things like;

13281438000031 127.0.0.1 ggbgfdghfd 1 exim1 2012-02-01 16:49:10 login authenticator failed for localhost (8DL17N1LUIP1D93) [127.0.0.1]: 535 Incorrect authentication data (set_id=ggbgfdghfd) 
13281438000030 127.0.0.1 ggbgfdghfd 1 exim1 2012-02-01 16:49:10 login authenticator failed for localhost (8DL17N1LUIP1D93) [127.0.0.1]: 535 Incorrect authentication data (set_id=ggbgfdghfd) 
13281438000029 127.0.0.1 ggbgfdghfd 1 exim1 2012-02-01 16:49:10 login authenticator failed for localhost (8DL17N1LUIP1D93) [127.0.0.1]: 535 Incorrect authentication data (set_id=ggbgfdghfd) 
13281438000028 127.0.0.1 ggbgfdghfd 1 exim1 2012-02-01 16:49:10 login authenticator failed for localhost (8DL17N1LUIP1D93) [127.0.0.1]: 535 Incorrect authentication data (set_id=ggbgfdghfd) 
13281438000027 127.0.0.1 ggbgfdghfd 1 exim1 2012-02-01 16:49:09 login authenticator failed for localhost (8DL17N1LUIP1D93) [127.0.0.1]: 535 Incorrect authentication data (set_id=ggbgfdghfd) 
13281438000026 127.0.0.1 ggbgfdghfd 1 exim1 2012-02-01 16:49:09 login authenticator failed for localhost (8DL17N1LUIP1D93) [127.0.0.1]: 535 Incorrect authentication data (set_id=ggbgfdghfd

 

[zEitEr]

@pucky

Sorry, but I did not see your question.

 

[NoBaloney2]

Im getting blasted by attacks on 127.0.0.1 right now. Thousands. Iv had to limit connection to 20 to combat it. Im also seeing things like;

13281438000031 127.0.0.1 ggbgfdghfd 1 exim1 2012-02-01 16:49:10 login authenticator failed for localhost (8DL17N1LUIP1D93) [127.0.0.1]: 535 Incorrect authentication data (set_id=ggbgfdghfd) 
13281438000030 127.0.0.1 ggbgfdghfd 1 exim1 2012-02-01 16:49:10 login authenticator failed for localhost (8DL17N1LUIP1D93) [127.0.0.1]: 535 Incorrect authentication data (set_id=ggbgfdghfd) 
13281438000029 127.0.0.1 ggbgfdghfd 1 exim1 2012-02-01 16:49:10 login authenticator failed for localhost (8DL17N1LUIP1D93) [127.0.0.1]: 535 Incorrect authentication data (set_id=ggbgfdghfd) 
13281438000028 127.0.0.1 ggbgfdghfd 1 exim1 2012-02-01 16:49:10 login authenticator failed for localhost (8DL17N1LUIP1D93) [127.0.0.1]: 535 Incorrect authentication data (set_id=ggbgfdghfd) 
13281438000027 127.0.0.1 ggbgfdghfd 1 exim1 2012-02-01 16:49:09 login authenticator failed for localhost (8DL17N1LUIP1D93) [127.0.0.1]: 535 Incorrect authentication data (set_id=ggbgfdghfd) 
13281438000026 127.0.0.1 ggbgfdghfd 1 exim1 2012-02-01 16:49:09 login authenticator failed for localhost (8DL17N1LUIP1D93) [127.0.0.1]: 535 Incorrect authentication data (set_id=ggbgfdghfd

I'm not sure what log that is, but it appears that there's a script on your server that's trying to log in, and failing. If I'm right, then your job is to find the script.

Jeff

 

[Ehsan]

I've the same problem and get a lot of brute force on 127.0.0.1 for proftpd and user xxxxx:

13573938010021 127.0.0.1 xxxxx 1 proftpd2 Jan 5 13:50:01 s4 proftpd[443665]: xx.xx.xx.xx (127.0.0.1[127.0.0.1]) - USER xxxxx (Login failed): Incorrect password.

How could I find which user do this brute force on server?
Is this from the user xxxxx? or maybe another user?
Is there any log to find out this?

Any help would be appreciated.

 

[nobaloney]

It appears to be from user xxxxx on your server, but it could be from another server somehow attempting ftp pretending to be user xxxxx.

ftp login attempts should be logged in /var/log/secure and to find them you can

 grep proftpd /var/log/secure | grep -i Login

as root.

Jeff