ErBergez
Verified User
Hi Forum -
I just completed a new build of DirectAdmin and installed ConfigServer Firewall&Security for the 1st time but I'm experiencing a new problem I have not had in the past but don't know if it's related to ConfigServer or something I missed in the setup of DirectAdmin.
I have 15 pages of emails in the Mail Queue Administrator all with the Sender:root@hostname and the Recipient:root@hostname.
These emails appear to be Systems related emails pertaining to the logs and in particular to my clients iPhone accessing the email server. (I confirmed that IP's are her iPhone.)
Here is a sample of the email headers: (They are all about the same)
Here's what the Email Body Chunk says:
Here is what the Log says:
Questions:
Thank you for your assistance,
Eric Bergez
BCN, Inc.
http://www.bcnonline.com
I just completed a new build of DirectAdmin and installed ConfigServer Firewall&Security for the 1st time but I'm experiencing a new problem I have not had in the past but don't know if it's related to ConfigServer or something I missed in the setup of DirectAdmin.
I have 15 pages of emails in the Mail Queue Administrator all with the Sender:root@hostname and the Recipient:root@hostname.
These emails appear to be Systems related emails pertaining to the logs and in particular to my clients iPhone accessing the email server. (I confirmed that IP's are her iPhone.)
Here is a sample of the email headers: (They are all about the same)
1ONVIN-0007XE-GJ-H
root 0 0
<[email protected]>
1276366743 0
-ident root
-received_protocol local
-body_linecount 46
-allow_unqualified_recipient
-allow_unqualified_sender
XX
1
[email protected]
185P Received: from root by cp.bcnonline.com with local (Exim 4.67)
(envelope-from <[email protected]>)
id 1ONVIN-0007XE-GJ
for [email protected]; Sat, 12 Jun 2010 11:19:03 -0700
011* From: root
009* To: root
026T To: [email protected]
079 Subject: lfd on cp.bcnonline.com: Suspicious process running under user tijinc
031F From: <[email protected]>
049I Message-Id: <[email protected]>
038 Date: Sat, 12 Jun 2010 11:19:03 -0700
root 0 0
<[email protected]>
1276366743 0
-ident root
-received_protocol local
-body_linecount 46
-allow_unqualified_recipient
-allow_unqualified_sender
XX
1
[email protected]
185P Received: from root by cp.bcnonline.com with local (Exim 4.67)
(envelope-from <[email protected]>)
id 1ONVIN-0007XE-GJ
for [email protected]; Sat, 12 Jun 2010 11:19:03 -0700
011* From: root
009* To: root
026T To: [email protected]
079 Subject: lfd on cp.bcnonline.com: Suspicious process running under user tijinc
031F From: <[email protected]>
049I Message-Id: <[email protected]>
038 Date: Sat, 12 Jun 2010 11:19:03 -0700
Here's what the Email Body Chunk says:
1ONVIN-0007XE-GJ-D
Time: Sat Jun 12 11:19:03 2010 -0700
PID: 28821
Account: tijinc
Uptime: 118 seconds
Executable:
/usr/libexec/dovecot/pop3
Command Line (often faked in exploits):
pop3 [[email protected] 166.205.137.148]
Network connections by the process (if any):
tcp: 64.27.0.152:110 -> 166.205.137.148:44176
tcp: 64.27.0.152:110 -> 166.205.137.148:44176
Files open by the process (if any):
eventpoll:[264977]
/home/tijinc/imap/theindustryjournal.com/naida.albright/Maildir/dovecot.index.log
/home/tijinc/imap/theindustryjournal.com/naida.albright/Maildir/dovecot-uidlist
Memory maps by the process (if any):
00110000-00119000 r-xp 00000000 03:05 2301725 /lib/libnss_files-2.5.so
00119000-0011a000 r-xp 00008000 03:05 2301725 /lib/libnss_files-2.5.so
0011a000-0011b000 rwxp 00009000 03:05 2301725 /lib/libnss_files-2.5.so
00414000-0042e000 r-xp 00000000 03:05 2301753 /lib/ld-2.5.so
0042e000-0042f000 r-xp 00019000 03:05 2301753 /lib/ld-2.5.so
0042f000-00430000 rwxp 0001a000 03:05 2301753 /lib/ld-2.5.so
00437000-00576000 r-xp 00000000 03:05 2301754 /lib/libc-2.5.so
00576000-00577000 --xp 0013f000 03:05 2301754 /lib/libc-2.5.so
00577000-00579000 r-xp 0013f000 03:05 2301754 /lib/libc-2.5.so
00579000-0057a000 rwxp 00141000 03:05 2301754 /lib/libc-2.5.so
0057a000-0057d000 rwxp 0057a000 00:00 0
0057f000-00581000 r-xp 00000000 03:05 2304048 /lib/libdl-2.5.so
00581000-00582000 r-xp 00001000 03:05 2304048 /lib/libdl-2.5.so
00582000-00583000 rwxp 00002000 03:05 2304048 /lib/libdl-2.5.so
00585000-00599000 r-xp 00000000 03:05 2304049 /lib/libpthread-2.5.so
00599000-0059a000 r-xp 00013000 03:05 2304049 /lib/libpthread-2.5.so
0059a000-0059b000 rwxp 00014000 03:05 2304049 /lib/libpthread-2.5.so
0059b000-0059d000 rwxp 0059b000 00:00 0
005c8000-005cf000 r-xp 00000000 03:05 2304050 /lib/librt-2.5.so
005cf000-005d0000 r-xp 00006000 03:05 2304050 /lib/librt-2.5.so
005d0000-005d1000 rwxp 00007000 03:05 2304050 /lib/librt-2.5.so
006e8000-007dd000 r-xp 00000000 03:03 2572722 /usr/local/lib/libiconv.so.2.5.0
007dd000-007de000 rwxp 000f5000 03:03 2572722 /usr/local/lib/libiconv.so.2.5.0
00f5c000-00f5d000 r-xp 00f5c000 00:00 0 [vdso]
08048000-08110000 r-xp 00000000 03:03 3775183 /usr/libexec/dovecot/pop3
08110000-08112000 rw-p 000c8000 03:03 3775183 /usr/libexec/dovecot/pop3
08112000-08113000 rw-p 08112000 00:00 0
093b3000-093fd000 rw-p 093b3000 00:00 0 [heap]
b7f08000-b7f0b000 rw-p b7f08000 00:00 0
bf967000-bf97c000 rw-p bffea000 00:00 0 [stack]
Time: Sat Jun 12 11:19:03 2010 -0700
PID: 28821
Account: tijinc
Uptime: 118 seconds
Executable:
/usr/libexec/dovecot/pop3
Command Line (often faked in exploits):
pop3 [[email protected] 166.205.137.148]
Network connections by the process (if any):
tcp: 64.27.0.152:110 -> 166.205.137.148:44176
tcp: 64.27.0.152:110 -> 166.205.137.148:44176
Files open by the process (if any):
eventpoll:[264977]
/home/tijinc/imap/theindustryjournal.com/naida.albright/Maildir/dovecot.index.log
/home/tijinc/imap/theindustryjournal.com/naida.albright/Maildir/dovecot-uidlist
Memory maps by the process (if any):
00110000-00119000 r-xp 00000000 03:05 2301725 /lib/libnss_files-2.5.so
00119000-0011a000 r-xp 00008000 03:05 2301725 /lib/libnss_files-2.5.so
0011a000-0011b000 rwxp 00009000 03:05 2301725 /lib/libnss_files-2.5.so
00414000-0042e000 r-xp 00000000 03:05 2301753 /lib/ld-2.5.so
0042e000-0042f000 r-xp 00019000 03:05 2301753 /lib/ld-2.5.so
0042f000-00430000 rwxp 0001a000 03:05 2301753 /lib/ld-2.5.so
00437000-00576000 r-xp 00000000 03:05 2301754 /lib/libc-2.5.so
00576000-00577000 --xp 0013f000 03:05 2301754 /lib/libc-2.5.so
00577000-00579000 r-xp 0013f000 03:05 2301754 /lib/libc-2.5.so
00579000-0057a000 rwxp 00141000 03:05 2301754 /lib/libc-2.5.so
0057a000-0057d000 rwxp 0057a000 00:00 0
0057f000-00581000 r-xp 00000000 03:05 2304048 /lib/libdl-2.5.so
00581000-00582000 r-xp 00001000 03:05 2304048 /lib/libdl-2.5.so
00582000-00583000 rwxp 00002000 03:05 2304048 /lib/libdl-2.5.so
00585000-00599000 r-xp 00000000 03:05 2304049 /lib/libpthread-2.5.so
00599000-0059a000 r-xp 00013000 03:05 2304049 /lib/libpthread-2.5.so
0059a000-0059b000 rwxp 00014000 03:05 2304049 /lib/libpthread-2.5.so
0059b000-0059d000 rwxp 0059b000 00:00 0
005c8000-005cf000 r-xp 00000000 03:05 2304050 /lib/librt-2.5.so
005cf000-005d0000 r-xp 00006000 03:05 2304050 /lib/librt-2.5.so
005d0000-005d1000 rwxp 00007000 03:05 2304050 /lib/librt-2.5.so
006e8000-007dd000 r-xp 00000000 03:03 2572722 /usr/local/lib/libiconv.so.2.5.0
007dd000-007de000 rwxp 000f5000 03:03 2572722 /usr/local/lib/libiconv.so.2.5.0
00f5c000-00f5d000 r-xp 00f5c000 00:00 0 [vdso]
08048000-08110000 r-xp 00000000 03:03 3775183 /usr/libexec/dovecot/pop3
08110000-08112000 rw-p 000c8000 03:03 3775183 /usr/libexec/dovecot/pop3
08112000-08113000 rw-p 08112000 00:00 0
093b3000-093fd000 rw-p 093b3000 00:00 0 [heap]
b7f08000-b7f0b000 rw-p b7f08000 00:00 0
bf967000-bf97c000 rw-p bffea000 00:00 0 [stack]
Here is what the Log says:
2010-06-12 11:19:03 Received from [email protected] U=root P=local S=2990 T="lfd on cp.bcnonline.com: Suspicious process running under user tijinc"
2010-06-12 11:19:03 [email protected] R=localuser T=local_delivery defer (-29): User 0 set for local_delivery transport is on the never_users list
2010-06-12 11:19:03 [email protected] R=localuser T=local_delivery defer (-29): User 0 set for local_delivery transport is on the never_users list
Questions:
- Are these messages important or can they be dropped?
- How do I forward server messages such as these to a real email address?
- Can this be controlled inside DirectAdmin or is this a config file setting?
Thank you for your assistance,
Eric Bergez
BCN, Inc.
http://www.bcnonline.com