Attempts to access our account

Posted: Sat Aug 30, 2008 8:32 am Post subject: Attempts to access our account

Just a note to file in case anybody else sees this:

Somebody attempted to gain access to one of our email accounts on a shared domain on Saturn, giving the following string as their IP address to Andrew's servers:

::ffff:aaa.bbb.ccc.ddd where the aaa etc is a numeric ip address. This I understand is in IPV6 format.

They were denied access to the account since they had no password. However there were two attempts to break in, each one a series of 6-7 attempts about 10 minutes apart.

The problem was that somehow they managed to spoof the ip address in aaa.bbb.ccc.ddd as the fixed ip used by us to regularly access accounts. This resulted in Andrew's firewall blocking that IP, with potentially serious consequences to us.

While the immediate issue of firewall blocking was quickly resolved with Andrew's help we have no means of tracking anything further here. We are pretty sure that the attempts did not come from our network.

If anyone else sees something similar or knows of a solution to this kind of issue please chip in.

NetHosted Staff Joined: 22 Mar 2004 Posts: 5684

Colin,

I'd be interested to hear where you got the information about re: ipv6. The format of all of our log entries is:

ip=[::ffff:127.0.0.1]

Also looking over the logs we see that this user attempted to login every 10 minutes. This is a solid indication it wasn't a hacking attempt but simply a mail client setup trying to access the account with incorrect login details.

Thanks,

Andrew

Posted: Sat Aug 30, 2008 10:30 am Post subject:

Andrew, I was simply going by the "::ffff:" prefix that seems to indicate ipv6. I could well be wrong, but did some reading which seemed to indicate that. I don't know that it gets us any further ahead, except that on some of our machines we can switch ipv6 off.

I take your point about the 10 minute intervals but look as we may we cannot find the client responsible. We will of course keep looking.

NetHosted Staff Joined: 22 Mar 2004 Posts: 5684

Hi,

I think the logs are like that purely in anticipation of ipv6 address. I wish we could offer further insight but the logs only contain the time, IP and account!

Thanks,

Andrew

Posted: Sat Aug 30, 2008 7:04 pm Post subject:

As a closing note on this issue, we have found the culprit and indeed it was on our network. It was a fetchmail process on a Linux server. The process was started months and months ago and had been trying to get access to that account all of that time without success but we had missed the notifications. We were not aware of the issue until the firewall blocked our IP about 48 hours ago.

Many thanks to Andrew and Darryl who, true to form, kept us supplied with fresh updates from the Saturn logs as we worked through eliminating possibilities without complaint in their usual cheerful and undaunted way. Without their help we would still be looking and guessing.

Client Support	Community	Server Status	Contact Us	Client Login
Email Hosting	Website Hosting	Reseller Hosting	VPS Hosting	Dedicated Servers