From OSSEC Wiki

Jump to: navigation, search
[edit]

Log Samples from vpopmail

  • Failed logins:

Sep 14 07:21:42 iron vpopmail[939]: vchkpw-pop3: password fail user1@xxxx.com:192.168.2.1

Sep 14 07:21:42 iron vpopmail[937]: vchkpw-pop3: password fail user2@xxxx.com:192.168.2.1

Sep 14 07:21:42 iron vpopmail[935]: vchkpw-pop3: password fail user3@xxxx.com:192.168.2.1

Jun 9 08:56:30 www vpopmail[65827]: vchkpw-smtp: password fail (pass: '<65825.1118321790@mail.xxx.com>') myuserid@xxx.com:208.210.222.68


  • Invalid user:

vpopmail[2100]: vchkpw-pop3: vpopmail user not found abc@xxx.com:x.x.x.x

vpopmail[65851]: vchkpw-pop3: vpopmail user not found myuserid@:208.210.222.68


[edit]

Full samples

Sample 1: 

Jun 9 08:56:03 www vpopmail[65826]: vchkpw-pop3: vpopmail user not found postmaster@:208.210.222.68
Jun 9 08:56:30 www vpopmail[65827]: vchkpw-smtp: password fail (pass: '<65825.1118321790@mail.xxx.com>') myuserid@xxx.com:208.210.222.68
Jun 9 09:04:16 www vpopmail[65851]: vchkpw-pop3: vpopmail user not found myuserid@:208.210.222.68
Jun 9 09:04:23 www vpopmail[65853]: vchkpw-pop3: vpopmail user not found myuserid@:208.210.222.68
Jun 9 09:05:00 www vpopmail[65855]: vchkpw-smtp: password fail (pass: '<65854.1118322299@mail.xxx.com>') myuserid@xxx.com:208.210.222.68
Jun 9 09:14:41 www vpopmail[65880]: vchkpw-pop3: vpopmail user not found myuserid@:208.210.222.6


Sample 2: 

Feb 24 06:48:03 circle vpopmail[12039]: vchkpw-pop3: password fail [EMAIL PROTECTED]:67.109.191.46
Feb 24 06:49:03 circle vpopmail[12043]: vchkpw-pop3: password fail [EMAIL PROTECTED]:67.109.191.46
Feb 24 06:50:03 circle vpopmail[12099]: vchkpw-pop3: password fail [EMAIL PROTECTED]:67.109.191.46
Feb 24 08:13:31 circle vpopmail[13042]: vchkpw-pop3: password fail [EMAIL PROTECTED]:70.104.21.208
Feb 24 08:13:32 circle vpopmail[13046]: vchkpw-pop3: password fail [EMAIL PROTECTED]:70.104.21.208


Sample 3: 

May 24 11:45:03 mail01 vpopmail[40833]: vchkpw-pop3: vpopmail user not found dlb@example.net:67.92.111.22
May 24 11:50:03 mail01 vpopmail[41401]: vchkpw-pop3: vpopmail user not found dlb@example.net:67.92.111.22
May 24 11:55:04 mail01 vpopmail[42117]: vchkpw-pop3: vpopmail user not found dlb@example.net:67.92.111.22
May 24 12:00:04 mail01 vpopmail[42735]: vchkpw-pop3: vpopmail user not found dlb@example.net:67.92.111.22
May 24 12:50:06 mail01 vpopmail[51623]: vchkpw-pop3: vpopmail user not found dlb@example.net:67.92.111.22
May 24 12:55:07 mail01 vpopmail[52208]: vchkpw-pop3: vpopmail user not found dlb@example.net:67.92.111.22
May 24 13:00:06 mail01 vpopmail[52799]: vchkpw-pop3: vpopmail user not found dlb@example.net:67.92.111.22
May 24 13:20:16 mail01 vpopmail[55953]: vchkpw-pop3: vpopmail user not found dlb@example.net:67.92.111.22
May 24 13:48:23 mail01 vpopmail[13650]: vchkpw-pop3: vpopmail user not found dlb@example.net:67.92.111.22

Sample 4 (brute force): 

Aug 12 11:52:52 mail vpopmail[4162]: vchkpw-pop3: vpopmail user not found support@:69.3.64.3
Aug 12 11:52:52 mail vpopmail[4171]: vchkpw-pop3: vpopmail user not found info@:69.3.64.3
Aug 12 11:52:53 mail vpopmail[4187]: vchkpw-pop3: vpopmail user not found help@:69.3.64.3
Aug 12 11:52:53 mail vpopmail[4191]: vchkpw-pop3: vpopmail user not found spam@:69.3.64.3
Aug 12 11:52:54 mail vpopmail[4198]: vchkpw-pop3: vpopmail user not found aaron@:69.3.64.3
Aug 12 11:52:54 mail vpopmail[4203]: vchkpw-pop3: vpopmail user not found abby@:69.3.64.3
Aug 12 11:52:54 mail vpopmail[4208]: vchkpw-pop3: vpopmail user not found abigail@:69.3.64.3
Aug 12 11:52:55 mail vpopmail[4228]: vchkpw-pop3: vpopmail user not found abraham@:69.3.64.3
Aug 12 11:52:55 mail vpopmail[4241]: vchkpw-pop3: vpopmail user not found abuse@:69.3.64.3
Aug 12 11:52:56 mail vpopmail[4258]: vchkpw-pop3: vpopmail user not found account@:69.3.64.3
Aug 12 11:52:57 mail vpopmail[4267]: vchkpw-pop3: vpopmail user not found support@:69.3.64.3
Aug 12 11:52:58 mail vpopmail[4289]: vchkpw-pop3: vpopmail user not found adm@:69.3.64.3
Retrieved from "http://ossec.net/wiki/index.php/Vpopmail"
Views
Personal tools