Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Am I hacked?
  •  
waz2304

Messages: 8
Karma: 0
Send a private message to this user
I have kerio connect 7.1 that i use as a backup/test server and i have noticed in the security log (for quite some time) that i am getting pop3 logon failures many times per day. I know there are bots attempting to send via the smtp, and that is ok. what i am worried about here is that the IP address that is listed, is my own public & static IP. See below...


[31/Mar/2011 04:27:14] Failed POP3 login from xx.xx.xx.xx, user test<_at_>xx.com.
[31/Mar/2011 04:27:14] POP3: User test<_at_>xx.com doesn't exist. Attempt from IP address xx.xx.xx.xx.
[31/Mar/2011 04:27:17] Failed POP3 login from xx.xx.xx.xx, user test<_at_>xx.com.

I have seen plenty of login attempts from bots, but that is usually from random IP's. The ones that i have "x" out, as I say, my external/WAN IP.
Am i being hacked from the LAN side?

Thanks for reading
  •  
ICT and Me

Messages: 940

Karma: 53
Send a private message to this user
Your not hacked. But this is a way to try it. If your server respond with this user exist but password is wrong, then it they will keep trying.
If you don't use POP3 anyway, diasable the service.

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
  •  
waz2304

Messages: 8
Karma: 0
Send a private message to this user
Thanks for the reply.
We are using pop3 download from the hosted server. The users that are being attempted do not exist, we literally only have about 4 users on this server.
I still cant get my head around as to why it is showing as an attempt from my IP address though.
Any thoughts?
  •  
blackbox

Messages: 82
Karma: 0
Send a private message to this user
I'm having a hard time understanding what you're suggesting. Are you saying the POP connections referenced in your logs indicate connections from your network gateway's IP?
  •  
waz2304

Messages: 8
Karma: 0
Send a private message to this user
blackbox wrote on Sun, 03 April 2011 06:49
I'm having a hard time understanding what you're suggesting. Are you saying the POP connections referenced in your logs indicate connections from your network gateway's IP?


Yes, the logs are showing my Static/Public/WAN IP address.


For example, if the DNS name of my mail server was mykerioserver.com, which resolved to and IP address of 101.10.101.10, this is the IP address that is showing in the log as being the origin of the attack.

Therefore the log would look like this:
[31/Mar/2011 04:27:14] Failed POP3 login from 101.10.101.10, user test<_at_>mykerioserver.com.
[31/Mar/2011 04:27:14] POP3: User test<_at_>mykerioserver.com doesn't exist. Attempt from IP address 101.10.101.10.
[31/Mar/2011 04:27:17] Failed POP3 login from 101.10.101.10, user test<_at_>mykerioserver.com.



Does this help?

  •  
blackbox

Messages: 82
Karma: 0
Send a private message to this user
I gotcha. You're not saying you're seeing your gateway's public IP, rather your email server's public IP as the source of the attacks.

I've seen instances where NAT on the gateway wasn't configured correctly and traffic appears to be originating from the gateway itself vs the external source. I haven't experienced it myself, but I suppose the same could happen with the static NAT used for your email server depending on the NAT configuration.

Are you sure the gateway has NAT configured correctly as it relates to your email server?

Have you tried connecting to the email server via POP from outside the network and see what IP the email server thinks is connecting?

Something along the lines of (telnet mykerioserver.com 110) for example.
  •  
waz2304

Messages: 8
Karma: 0
Send a private message to this user
Blackbox, your spot on. Why I didn't think to try that is madness!
Telenet logon from another location showed it up straight away. Fixed the NAT on the router and all is good again, except for the bots, but we'll never get rid of them all...
Thanks again and I really appreciate it.
Previous Topic: Blackberry Express and Kerio Connect for Blackberry (Server Issues)
Next Topic: Kerio + Nokia N8
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 17 11:29:34 CEST 2017

Total time taken to generate the page: 0.00480 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.