• Dear Pleskians! The Plesk Forum will be undergoing scheduled maintenance on Monday, 7th of July, at 9:00 AM UTC. The expected maintenance window is 2 hours.
    Thank you in advance for your patience and understanding on the matter.

Strange IMAPD-SSL and IMAPD logs

U

unixguy

Guest
The log snippet below shows imap and imap-ssl being accessed via localhost (127.0.0.1). I find at least 4 of these entries each hour in the log files.

The logfiles are concerning because:

1) There is no LOGIN - only LOGOUT
2) There is no discernible username
3) The maildir shows /etc/rc.d/init.d
4) The message count shows 300+ messages sent

My concern is that someone has compromised the system and is somehow using IMAP for SPAM or other activity.

Question: Can someone tell me if this is normal - and if so, which process is making this regular access? And if not, can anyone advise how to increase logging to track down the process, user etc.?


Many thanks,

Troy




Nov 4 10:01:29 server05 imapd-ssl: Connection, ip=[127.0.0.1]
Nov 4 10:01:29 server05 imapd-ssl: 1162634489.34120 LOGOUT, ip=[127.0.0.1], rcvd=12, sent=310, maildir=/etc/rc.d/init.d
Nov 4 10:01:29 server05 imapd: Connection, ip=[127.0.0.1]
Nov 4 10:01:29 server05 imapd: 1162634489.41163 LOGOUT, ip=[127.0.0.1], rcvd=12, sent=308, maildir=/etc/rc.d/init.d
Nov 4 10:26:31 server05 imapd-ssl: Connection, ip=[127.0.0.1]
Nov 4 10:26:31 server05 imapd-ssl: 1162635991.730917 LOGOUT, ip=[127.0.0.1], rcvd=12, sent=310, maildir=/etc/rc.d/init.d
Nov 4 10:26:31 server05 imapd: Connection, ip=[127.0.0.1]
Nov 4 10:26:31 server05 imapd: 1162635991.738276 LOGOUT, ip=[127.0.0.1], rcvd=12, sent=308, maildir=/etc/rc.d/init.d
 
During the process of hardening my system ( moving SSH to another port and generally tightening things up ) these errors went away.

It was never clear if this was a spurious process or a hack attempt.

SWSoft indicated that this was normal but I never got a formal answer as to the origin of these messages.
 
What other hardening measures did you take? I'm getting the same errors in 10.x. I'm getting hit from many different IP with this error;
 
Back
Top