Mail Attacke?

rbest · Jan 29, 2018

Hallo, wollte mal einen Rat von Fachleuten. Und zwar ging kürzlich mein Server in die Knie und ich habe die Logs nach Auffälligkeiten durchsucht. In maillog habe ich seitenweise Einträge mit immer derselben IP [172.82.179.71] gefunden.
Kann mir jemand sagen, was da genau stattgefunden hat und ob ich was ich dagegen tun kann. Ich danke im Voraus.

Auszug aus dem Anfang und Ende von maillog:

Code:

Jan 26 00:17:27 h2660562 postfix/smtpd[24023]: connect from unknown[172.82.179.71]
Jan 26 00:17:28 h2660562 plesk_saslauthd[24040]: listen=6, status=5, dbpath='/plesk/passwd.db', keypath='/plesk/passwd_db_key', chroot=1, unprivileged=1
Jan 26 00:17:28 h2660562 plesk_saslauthd[24040]: privileges set to (108:114) (effective 108:114)
Jan 26 00:17:28 h2660562 plesk_saslauthd[24040]: failed mail authenticatication attempt for user 'info@rbest.de' (password len=5)
Jan 26 00:17:28 h2660562 postfix/smtpd[24023]: warning: unknown[172.82.179.71]: SASL LOGIN authentication failed: authentication failure
Jan 26 00:17:28 h2660562 postfix/smtpd[24023]: lost connection after AUTH from unknown[172.82.179.71]
Jan 26 00:17:28 h2660562 postfix/smtpd[24023]: disconnect from unknown[172.82.179.71] ehlo=1 auth=0/1 commands=1/2
Jan 26 00:17:28 h2660562 postfix/smtpd[24023]: connect from unknown[172.82.179.71]
Jan 26 00:17:29 h2660562 plesk_saslauthd[24040]: failed mail authenticatication attempt for user 'info@rbest.de' (password len=5)
Jan 26 00:17:29 h2660562 postfix/smtpd[24023]: warning: unknown[172.82.179.71]: SASL LOGIN authentication failed: authentication failure
Jan 26 00:17:29 h2660562 postfix/smtpd[24023]: lost connection after AUTH from unknown[172.82.179.71]
Jan 26 00:17:29 h2660562 postfix/smtpd[24023]: disconnect from unknown[172.82.179.71] ehlo=1 auth=0/1 commands=1/2
Jan 26 00:17:29 h2660562 postfix/smtpd[24023]: connect from unknown[172.82.179.71]
Jan 26 00:17:30 h2660562 plesk_saslauthd[24040]: failed mail authenticatication attempt for user 'info@rbest.de' (password len=5)
Jan 26 00:17:30 h2660562 postfix/smtpd[24023]: warning: unknown[172.82.179.71]: SASL LOGIN authentication failed: authentication failure
Jan 26 00:17:30 h2660562 postfix/smtpd[24023]: lost connection after AUTH from unknown[172.82.179.71]
Jan 26 00:17:30 h2660562 postfix/smtpd[24023]: disconnect from unknown[172.82.179.71] ehlo=1 auth=0/1 commands=1/2
Jan 26 00:17:30 h2660562 postfix/smtpd[24023]: connect from unknown[172.82.179.71]
Jan 26 00:17:31 h2660562 plesk_saslauthd[24040]: failed mail authenticatication attempt for user 'info@rbest.de' (password len=8)
Jan 26 00:17:31 h2660562 postfix/smtpd[24023]: warning: unknown[172.82.179.71]: SASL LOGIN authentication failed: authentication failure
Jan 26 00:17:31 h2660562 postfix/smtpd[24023]: lost connection after AUTH from unknown[172.82.179.71]
Jan 26 00:17:31 h2660562 postfix/smtpd[24023]: disconnect from unknown[172.82.179.71] ehlo=1 auth=0/1 commands=1/2
Jan 26 00:17:31 h2660562 postfix/smtpd[24023]: connect from unknown[172.82.179.71]
Jan 26 00:17:32 h2660562 plesk_saslauthd[24040]: failed mail authenticatication attempt for user 'info@rbest.de' (password len=8)
Jan 26 00:17:32 h2660562 postfix/smtpd[24023]: warning: unknown[172.82.179.71]: SASL LOGIN authentication failed: authentication failure
Jan 26 00:17:32 h2660562 postfix/smtpd[24023]: lost connection after AUTH from unknown[172.82.179.71]
Jan 26 00:17:32 h2660562 postfix/smtpd[24023]: disconnect from unknown[172.82.179.71] ehlo=1 auth=0/1 commands=1/2
Jan 26 00:17:32 h2660562 postfix/smtpd[24023]: connect from unknown[172.82.179.71]
Jan 26 00:17:33 h2660562 plesk_saslauthd[24040]: failed mail authenticatication attempt for user 'info@rbest.de' (password len=8)
Jan 26 00:17:33 h2660562 postfix/smtpd[24023]: warning: unknown[172.82.179.71]: SASL LOGIN authentication failed: authentication failure
Jan 26 00:17:33 h2660562 postfix/smtpd[24023]: lost connection after AUTH from unknown[172.82.179.71]
Jan 26 00:17:33 h2660562 postfix/smtpd[24023]: disconnect from unknown[172.82.179.71] ehlo=1 auth=0/1 commands=1/2
Jan 26 00:17:33 h2660562 postfix/smtpd[24023]: connect from unknown[172.82.179.71]
Jan 26 00:17:34 h2660562 plesk_saslauthd[24040]: failed mail authenticatication attempt for user 'info@rbest.de' (password len=8)
Jan 26 00:17:34 h2660562 postfix/smtpd[24023]: warning: unknown[172.82.179.71]: SASL LOGIN authentication failed: authentication failure
Jan 26 00:17:34 h2660562 postfix/smtpd[24023]: lost connection after AUTH from unknown[172.82.179.71]
Jan 26 00:17:34 h2660562 postfix/smtpd[24023]: disconnect from unknown[172.82.179.71] ehlo=1 auth=0/1 commands=1/2
Jan 26 00:17:34 h2660562 postfix/smtpd[24023]: connect from unknown[172.82.179.71]
Jan 26 00:17:35 h2660562 plesk_saslauthd[24040]: failed mail authenticatication attempt for user 'info@rbest.de' (password len=6)
Jan 26 00:17:35 h2660562 postfix/smtpd[24023]: warning: unknown[172.82.179.71]: SASL LOGIN authentication failed: authentication failure
Jan 26 00:17:35 h2660562 postfix/smtpd[24023]: lost connection after AUTH from unknown[172.82.179.71]
Jan 26 00:17:35 h2660562 postfix/smtpd[24023]: disconnect from unknown[172.82.179.71] ehlo=1 auth=0/1 commands=1/2
Jan 26 00:17:35 h2660562 postfix/smtpd[24023]: connect from unknown[172.82.179.71]
Jan 26 00:17:36 h2660562 plesk_saslauthd[24040]: failed mail authenticatication attempt for user 'info@rbest.de' (password len=6)
Jan 26 00:17:36 h2660562 postfix/smtpd[24023]: warning: unknown[172.82.179.71]: SASL LOGIN authentication failed: authentication failure
Jan 26 00:17:36 h2660562 postfix/smtpd[24023]: lost connection after AUTH from unknown[172.82.179.71]
Jan 26 00:17:36 h2660562 postfix/smtpd[24023]: disconnect from unknown[172.82.179.71] ehlo=1 auth=0/1 commands=1/2
Jan 26 00:17:36 h2660562 postfix/smtpd[24023]: connect from unknown[172.82.179.71]

so geht das weiter bis hier:

Jan 26 01:06:28 h2660562 postfix/smtpd[24848]: disconnect from unknown[172.82.179.71] ehlo=1 auth=0/1 commands=1/2
Jan 26 01:06:28 h2660562 postfix/smtpd[24848]: connect from unknown[172.82.179.71]
Jan 26 01:06:28 h2660562 postfix/smtpd[24858]: warning: hostname systemip7.example.com does not resolve to address 91.200.12.153: Name or service not known
Jan 26 01:06:28 h2660562 postfix/smtpd[24858]: connect from unknown[91.200.12.153]
Jan 26 01:06:28 h2660562 plesk_saslauthd[24040]: failed mail authenticatication attempt for user 'clifton' (password len=9)
Jan 26 01:06:28 h2660562 postfix/smtpd[24858]: warning: unknown[91.200.12.153]: SASL LOGIN authentication failed: authentication failure
Jan 26 01:06:28 h2660562 postfix/smtpd[24858]: lost connection after AUTH from unknown[91.200.12.153]
Jan 26 01:06:28 h2660562 postfix/smtpd[24858]: disconnect from unknown[91.200.12.153] ehlo=1 auth=0/1 commands=1/2
Jan 26 01:06:28 h2660562 plesk_saslauthd[24040]: failed mail authenticatication attempt for user 'info@rbest.de' (password len=7)
Jan 26 01:06:28 h2660562 postfix/smtpd[24848]: warning: unknown[172.82.179.71]: SASL LOGIN authentication failed: authentication failure
Jan 26 01:06:29 h2660562 postfix/smtpd[24848]: lost connection after AUTH from unknown[172.82.179.71]
Jan 26 01:06:29 h2660562 postfix/smtpd[24848]: disconnect from unknown[172.82.179.71] ehlo=1 auth=0/1 commands=1/2
Jan 26 01:06:29 h2660562 postfix/smtpd[24858]: connect from unknown[172.82.179.71]
Jan 26 01:06:29 h2660562 plesk_saslauthd[24040]: failed mail authenticatication attempt for user 'info@rbest.de' (password len=7)
Jan 26 01:06:29 h2660562 postfix/smtpd[24858]: warning: unknown[172.82.179.71]: SASL LOGIN authentication failed: authentication failure
Jan 26 01:06:30 h2660562 postfix/smtpd[24858]: lost connection after AUTH from unknown[172.82.179.71]
Jan 26 01:06:30 h2660562 postfix/smtpd[24858]: disconnect from unknown[172.82.179.71] ehlo=1 auth=0/1 commands=1/2
Jan 26 01:06:30 h2660562 postfix/smtpd[24848]: connect from unknown[172.82.179.71]
Jan 26 01:06:30 h2660562 plesk_saslauthd[24040]: failed mail authenticatication attempt for user 'info@rbest.de' (password len=6)
Jan 26 01:06:30 h2660562 postfix/smtpd[24848]: warning: unknown[172.82.179.71]: SASL LOGIN authentication failed: authentication failure
Jan 26 01:06:31 h2660562 postfix/smtpd[24848]: lost connection after AUTH from unknown[172.82.179.71]
Jan 26 01:06:31 h2660562 postfix/smtpd[24848]: disconnect from unknown[172.82.179.71] ehlo=1 auth=0/1 commands=1/2
Jan 26 01:06:31 h2660562 postfix/smtpd[24858]: connect from unknown[172.82.179.71]
Jan 26 01:06:32 h2660562 plesk_saslauthd[24040]: failed mail authenticatication attempt for user 'info@rbest.de' (password len=7)
Jan 26 01:06:32 h2660562 postfix/smtpd[24858]: warning: unknown[172.82.179.71]: SASL LOGIN authentication failed: authentication failure
Jan 26 01:06:32 h2660562 postfix/smtpd[24858]: lost connection after AUTH from unknown[172.82.179.71]
Jan 26 01:06:32 h2660562 postfix/smtpd[24858]: disconnect from unknown[172.82.179.71] ehlo=1 auth=0/1 commands=1/2
Jan 26 01:06:32 h2660562 postfix/smtpd[24848]: connect from unknown[172.82.179.71]
Jan 26 01:06:33 h2660562 plesk_saslauthd[24040]: failed mail authenticatication attempt for user 'info@rbest.de' (password len=7)
Jan 26 01:06:33 h2660562 postfix/smtpd[24848]: warning: unknown[172.82.179.71]: SASL LOGIN authentication failed: authentication failure
Jan 26 01:06:33 h2660562 postfix/smtpd[24848]: lost connection after AUTH from unknown[172.82.179.71]
Jan 26 01:06:33 h2660562 postfix/smtpd[24848]: disconnect from unknown[172.82.179.71] ehlo=1 auth=0/1 commands=1/2
Jan 26 01:06:48 h2660562 postfix/smtpd[24858]: warning: hostname walkerj235.com does not resolve to address 91.200.12.13

Werner S · Jan 29, 2018

Vermutlich versucht wer mails von deinem Server zu schicken, schafft es aber nicht da er fehlende Logindaten hat

LOGIN authentication failed: authentication failure

Steht ja in den Logs. Das ist ganz normales Hintergrundrauchen.

Hau dir fail2ban drauf, nach xx versuchen wird die IP automatisch geblockt.

nexus · Jan 29, 2018

Das ist ganz normales Grundrauschen und dürfte die Performance deines Servers garnicht spürbar beeinflussen.

Was verstehst du genau unter deiner Aussage: "mein Server ging kürzlich in die Knie"?

Werner S · Jan 29, 2018

nexus said:
Was verstehst du genau unter deiner Aussage: "mein Server ging kürzlich in die Knie"?

Ich hänge noch die Frage dran: Was steht in den Logs zum Zeitpunkt als "dein Server in die Knie ging"?

jeddix · Jan 30, 2018

Vielleicht das DNS resolving, was die Performance nach unten zieht?

Welche Art Hosting wird denn bei Strato verwendet?
Da kann man auch ohne äußere Einflüsse (WAN) mal Performanceprobleme haben ;-)

MarkusxX · Feb 2, 2018

Ich schließe mich mal hier an ! Ich hatte vor kurzen 5000 Mails am Tag und fremde PHP datein in Base64 auf meinem Server habe nun alles geändert und bekomme in meine logs ständig :

Code:

Feb  2 15:05:43 h2723111 dovecot_authdb_plesk[22529]: No such user 'tiffany.d@suhler-huette.de' in mail authorization database
Feb  2 15:05:47 h2723111 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 9 secs): user=<tiffany.d@suhler-huette.de>, method=PLAIN, rip=218.22.187.66, lip=85.214.220.89, TLS, session=<O6L5NDtk283aFrtC>
Feb  2 15:05:48 h2723111 postfix/smtpd[22502]: warning: hostname walkerj235.com does not resolve to address 91.200.12.13
Feb  2 15:05:48 h2723111 postfix/smtpd[22502]: connect from unknown[91.200.12.13]
Feb  2 15:05:48 h2723111 plesk_saslauthd[22548]: listen=6, status=5, dbpath='/plesk/passwd.db', keypath='/plesk/passwd_db_key', chroot=1, unprivileged=1
Feb  2 15:05:48 h2723111 plesk_saslauthd[22548]: privileges set to (108:114) (effective 108:114)
Feb  2 15:05:48 h2723111 plesk_saslauthd[22548]: failed mail authenticatication attempt for user 'Concepcion' (password len=9)
Feb  2 15:05:48 h2723111 postfix/smtpd[22502]: warning: unknown[91.200.12.13]: SASL LOGIN authentication failed: authentication failure
Feb  2 15:05:48 h2723111 postfix/smtpd[22502]: lost connection after AUTH from unknown[91.200.12.13]
Feb  2 15:05:48 h2723111 postfix/smtpd[22502]: disconnect from unknown[91.200.12.13] ehlo=1 auth=0/1 commands=1/2
Feb  2 15:05:57 h2723111 dovecot_authdb_plesk[22529]: No such user 'karla.m@suhler-huette.de' in mail authorization database
Feb  2 15:06:00 h2723111 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<karla.m@suhler-huette.de>, method=PLAIN, rip=42.159.132.54, lip=85.214.220.89, TLS, session=<eNfSNTtkoAYqn4Q2>
Feb  2 15:06:05 h2723111 dovecot: pop3-login: Login: user=<catchall@papd.us>, method=PLAIN, rip=::1, lip=::1, mpid=22558, secured, session=<PMmWNjtksOcAAAAAAAAAAAAAAAAAAAAB>
Feb  2 15:06:05 h2723111 dovecot: service=pop3, user=catchall@papd.us, ip=[::1]. Disconnected: Logged out rcvd=18, sent=62, top=0/0, retr=0/0, del=0/0, size=0
Feb  2 15:06:17 h2723111 postfix/smtpd[22502]: warning: hostname systemip7.example.com does not resolve to address 91.200.12.174: Name or service not known
Feb  2 15:06:17 h2723111 postfix/smtpd[22502]: connect from unknown[91.200.12.174]
Feb  2 15:06:17 h2723111 plesk_saslauthd[22548]: failed mail authenticatication attempt for user 'demo1' (password len=6)
Feb  2 15:06:17 h2723111 postfix/smtpd[22502]: warning: unknown[91.200.12.174]: SASL LOGIN authentication failed: authentication failure
Feb  2 15:06:17 h2723111 postfix/smtpd[22502]: lost connection after AUTH from unknown[91.200.12.174]
Feb  2 15:06:17 h2723111 postfix/smtpd[22502]: disconnect from unknown[91.200.12.174] ehlo=1 auth=0/1 commands=1/2
Feb  2 15:06:47 h2723111 plesk_saslauthd[22548]: select timeout, exiting
Feb  2 15:08:05 h2723111 dovecot: pop3-login: Login: user=<catchall@papd.us>, method=PLAIN, rip=::1, lip=::1, mpid=22646, secured, session=<AWK/PTtk+sEAAAAAAAAAAAAAAAAAAAAB>
Feb  2 15:08:05 h2723111 dovecot: service=pop3, user=catchall@papd.us, ip=[::1]. Disconnected: Logged out rcvd=18, sent=62, top=0/0, retr=0/0, del=0/0, size=0
Feb  2 15:08:26 h2723111 postfix/smtpd[22657]: connect from viclamta12p.bpe.bigpond.com[203.38.21.76]
Feb  2 15:08:28 h2723111 postfix/smtpd[22657]: NOQUEUE: reject: RCPT from viclamta12p.bpe.bigpond.com[203.38.21.76]: 454 4.7.1 <suzanne.y@mail.piewcom.de>: Relay access denied; from=<> to=<suzanne.y@mail.piewcom.de> proto=ESMTP helo=<viclamta12p.bpe.bigpond.com>
Feb  2 15:08:30 h2723111 /usr/lib/plesk-9.0/psa-pc-remote[22334]: Message aborted.
Feb  2 15:08:30 h2723111 /usr/lib/plesk-9.0/psa-pc-remote[22334]: Message aborted.
Feb  2 15:08:30 h2723111 postfix/smtpd[22657]: disconnect from viclamta12p.bpe.bigpond.com[203.38.21.76] ehlo=2 starttls=1 mail=1 rcpt=0/1 rset=2 quit=1 commands=7/8

ThomasChr · Feb 2, 2018

Crossposting: https://serversupportforum.de/threads/mail-angriffe-abwehren.58662/

Dir wird nicht schneller geholfen wenn du Fragen doppelt stellst - im Gegenteil, das ist hier (und woanders auch!) gar nicht gerne gesehen!

Mail Attacke?

rbest

New Member

Werner S

Member

nexus

Well-Known Member

Werner S

Member

jeddix

Member

MarkusxX

New Member

ThomasChr

Active Member

We value your privacy