Facebook
TwitterMar 9 09:00:25 psa imapd: IMAP connect from @ [::ffff:127.0.0.1]INFO: LOGIN, [email protected], ip=[::ffff:127.0.0.1], protocol=IMAP
Mar 9 09:00:25 psa imapd: 1331305225.438406 DISCONNECTED, [email protected], ip=[::ffff:127.0.0.1], headers=0, body=42357, rcvd=343, sent=46960, maildir=/var/qmail/mailnames/xxxxx.net/safeg/Maildir
I was watching someone doing a dictionary attack until they hit on an email and got in. Moments later, I saw that different servers on my network seemed to be being poked for email services, sending, etc.
I changed the password on the hacked account, made sure the user got cut off, then let him back in. Sure enough, he lost access to the account but... then I noticed something strange which is the above.
When I first noticed the attack, it was coming from an external public IP. When they got into the above account, a while later, I noticed something trying to connect to the same account but from 127.0.0.1.
What gives??? Did the spammer somehow install something on my system from his hacked POP account? Sounds unlikely but why are the connections coming from the local machine now?
Mar 9 09:00:25 psa imapd: 1331305225.438406 DISCONNECTED, [email protected], ip=[::ffff:127.0.0.1], headers=0, body=42357, rcvd=343, sent=46960, maildir=/var/qmail/mailnames/xxxxx.net/safeg/Maildir
I was watching someone doing a dictionary attack until they hit on an email and got in. Moments later, I saw that different servers on my network seemed to be being poked for email services, sending, etc.
I changed the password on the hacked account, made sure the user got cut off, then let him back in. Sure enough, he lost access to the account but... then I noticed something strange which is the above.
When I first noticed the attack, it was coming from an external public IP. When they got into the above account, a while later, I noticed something trying to connect to the same account but from 127.0.0.1.
What gives??? Did the spammer somehow install something on my system from his hacked POP account? Sounds unlikely but why are the connections coming from the local machine now?
Last edited: