Illegal access to e-mail through the service : dovecot

[Arman.Motevalian]

Hello, please help me.

I have installed my Almalinux 8 system from scratch and the cPanel version is fresh and clean.
I also have imunify360 security software, but one of my emails is constantly being hacked.

Anonymous IP through the service dovecot Enters my email .

I blocked his IP from the firewall but I know he can do it again. Please tell me how to prevent this illegal entry.

I have attached a photo of the login notification with an unknown IP

Thanks !

 

[quietFinn]

I believe that someone is trying to access that email.

If you check in /var/log/maillog you can see if they are trying (and failing), or actually accessing the mailbox.

This kind of hacking attempts are very common, and if you have good security tools (and secure passwords) they are quite harmless.

 

[Arman.Motevalian]

I believe that someone is trying to access that email.

If you check in /var/log/maillog you can see if they are trying (and failing), or actually accessing the mailbox.

This kind of hacking attempts are very common, and if you have good security tools (and secure passwords) they are quite harmless.

I always use complex passwords and all server ports are closed. I just want to know how I can prevent this.

Last time, 2500 spam emails were sent with this email, I don't want it to happen again. I installed alma linux and cpanel from scratch but they can still be imported

 

[quietFinn]

I also have imunify360 security software, but one of my emails is constantly being hacked.

If the password is really secure then it's more likely that the password is leaked, maybe you (or someone else who knows the password) has virus/malicious software in your computer.

 

[Arman.Motevalian]

I believe that someone is trying to access that email.

If you check in /var/log/maillog you can see if they are trying (and failing), or actually accessing the mailbox.

This kind of hacking attempts are very common, and if you have good security tools (and secure passwords) they are quite harmless.

When I go on ssh and going to this
nano var/log/maillog I can see the log la for 2 agust I can not see log for today why? It's not updated?

 

[quietFinn]

You should do this:
grep TheEmailInQuestion /var/log/maillog

If you open the file in editor the oldest lines are on top.

You see the newest lines like this:
tail /var/log/maillog

 

[Arman.Motevalian]

You should do this:
grep TheEmailInQuestion /var/log/maillog

If you open the file in editor the oldest lines are on top.

You see the newest lines like this:
tail /var/log/maillog

We use Laravel on our site and we use email information to connect to our site, for example, when a user wants to reset a password, this email is used. Do you think there might be a bug that reveals the email password?

 

[Arman.Motevalian]

These are the logs that are related to the same hour


Aug 4 00:10:13 panel dovecot[1374]: auth-worker(79350): Debug: imunify360: check_only=0
Aug 4 00:10:13 panel dovecot[1374]: auth-worker(79350): Debug: imunify360: sock_timeout=1000
Aug 4 00:10:17 panel dovecot[1374]: lmtp(79383): Connect from local
Aug 4 00:10:17 panel dovecot[1374]: lmtp([email protected])<79383><520xBOlBzGQXNgEAUWwwJA>: msgid=<[email protected]$
Aug 4 00:10:17 panel dovecot[1374]: lmtp(79383): Disconnect from local: Logged out (state=READY)
Aug 4 00:10:29 panel dovecot[1374]: imap-login: Login: user=<cpanel-ccs>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=79398, TLS, ses$
Aug 4 00:10:29 panel dovecot[1374]: imap(cpanel-ccs)<79398><rFVyuQ0C2ul/AAAB>: Disconnected: Logged out in=50, out=879, bytes=50/879
Aug 4 00:10:59 panel dovecot[1374]: imap-login: Login: user=<cpanel-ccs>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=79414, TLS, ses$
Aug 4 00:10:59 panel dovecot[1374]: imap(cpanel-ccs)<79414><104+uw0CarV/AAAB>: Disconnected: Logged out in=50, out=879, bytes=50/879
Aug 4 00:11:29 panel dovecot[1374]: imap-login: Login: user=<cpanel-ccs>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=79472, TLS, ses$
Aug 4 00:11:29 panel dovecot[1374]: imap(cpanel-ccs)<79472><dm0LvQ0CMpt/AAAB>: Disconnected: Logged out in=50, out=879, bytes=50/879
Aug 4 00:11:59 panel dovecot[1374]: imap-login: Login: user=<cpanel-ccs>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=79490, TLS, ses$
Aug 4 00:11:59 panel dovecot[1374]: imap(cpanel-ccs)<79490><PnDXvg0C4Ol/AAAB>: Disconnected: Logged out in=50, out=879, bytes=50/879
Aug 4 00:12:30 panel dovecot[1374]: imap-login: Login: user=<cpanel-ccs>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=79545, TLS, ses$
Aug 4 00:12:30 panel dovecot[1374]: imap(cpanel-ccs)<79545><M9WjwA0CurV/AAAB>: Disconnected: Logged out in=50, out=879, bytes=50/879
Aug 4 00:13:00 panel dovecot[1374]: imap-login: Login: user=<cpanel-ccs>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=79557, TLS, ses$
Aug 4 00:13:00 panel dovecot[1374]: imap(cpanel-ccs)<79557><xiBwwg0CpMR/AAAB>: Disconnected: Logged out in=50, out=879, bytes=50/879
Aug 4 00:13:00 panel spamd[4443]: spamd: connection from localhost [::1]:60078 to port 783, fd 5
Aug 4 00:13:01 panel dovecot[1374]: pop3-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.$
Aug 4 00:13:01 panel dovecot[1374]: lmtp(79653): Connect from local
Aug 4 00:13:01 panel dovecot[1374]: lmtp(79653): Disconnect from local: Logged out (state=GREETING)
Aug 4 00:13:02 panel dovecot[1374]: imap-login: Login: user=<__cpanel__service__auth__imap__7wszetfl5zokodyc>, method=PLAIN, rip=127.0.0.1$
Aug 4 00:13:02 panel dovecot[1374]: imap(__cpanel__service__auth__imap__7wszetfl5zokodyc)<79659><9UuNwg0C0LR/AAAB>: Disconnected: Logged o$
Aug 4 00:13:30 panel dovecot[1374]: imap-login: Login: user=<cpanel-ccs>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=79731, TLS, ses$
Aug 4 00:13:30 panel dovecot[1374]: imap(cpanel-ccs)<79731><bD87xA0CSON/AAAB>: Disconnected: Logged out in=50, out=879, bytes=50/879
Aug 4 00:14:00 panel dovecot[1374]: imap-login: Login: user=<cpanel-ccs>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=79743, TLS, ses$
Aug 4 00:14:00 panel dovecot[1374]: imap(cpanel-ccs)<79743><LlUHxg0CWIl/AAAB>: Disconnected: Logged out in=50, out=879, bytes=50/879
Aug 4 00:14:30 panel dovecot[1374]: imap-login: Login: user=<cpanel-ccs>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=79799, TLS, ses$
Aug 4 00:14:30 panel dovecot[1374]: imap(cpanel-ccs)<79799><CHbTxw0CWtJ/AAAB>: Disconnected: Logged out in=50, out=879, bytes=50/879



 

[quietFinn]

I see connections only from localhost (127.0.0.1) to localhost, which is most likely webmail access.

I know nothing about Laravel, but when password is sent in an email it's always possible to end up in wrong hands.

 

[Arman.Motevalian]

also if u see my screen shot again there is nothing about Local Port or Remote Port .

I have no clue how to solve the problem. I don't know where this bug came from

 

[cPRex]

Everything in that log looks normal to me. If it's showing the localhost IP of 127.0.0.1 that would indicate a connection from Webmail.

 

[Arman.Motevalian]

I changed the password again and now I am completely formatting my computer to make sure that the problem is not with my computer. I am still looking to solve the problem