Results 1 to 3 of 3

Thread: Are these login attempts a potential hacker?

  1. #1
    Jakobud is offline Starter Member
    Join Date
    Mar 2010
    Posts
    1
    Rep Power
    5

    Default Are these login attempts a potential hacker?

    One of our employees's (lets say his name is Bob Smith) Zimbra account kept changing to "Lockout". I discovered that Lockout refers to too many bad login attempts to that account within a certain time period.

    Investigating the logs, I'm seeing this:

    Code:
    2010-03-23 12:31:04,880 WARN  [btpool0-31374] [ip=50.24.49.30;ua=Mozilla/5.0 (X11;; U;; Linux x86_64;; en-US;; rv:1.9.1.8) Gecko/20100301 Fedora/3.0.3-1.fc11 Lightning/1.0b1 Thunderbird/3.0.3;] security - cmd=Auth; account=bob.smith@mycompany.com; protocol=http_basic; error=authentication failed for john, account lockout;
    2010-03-23 12:31:05,205 WARN  [btpool0-31374] [ip=50.24.49.30;ua=Mozilla/5.0 (X11;; U;; Linux x86_64;; en-US;; rv:1.9.1.8) Gecko/20100301 Fedora/3.0.3-1.fc11 Lightning/1.0b1 Thunderbird/3.0.3;] security - cmd=Auth; account=bob.smith@mycompany.com; protocol=http_basic; error=authentication failed for john, account lockout;
    2010-03-23 12:31:05,517 WARN  [btpool0-31374] [ip=50.24.49.30;ua=Mozilla/5.0 (X11;; U;; Linux x86_64;; en-US;; rv:1.9.1.8) Gecko/20100301 Fedora/3.0.3-1.fc11 Lightning/1.0b1 Thunderbird/3.0.3;] security - cmd=Auth; account=bob.smith@mycompany.com; protocol=http_basic; error=authentication failed for john, account lockout;
    2010-03-23 12:31:05,828 WARN  [btpool0-31374] [ip=50.24.49.30;ua=Mozilla/5.0 (X11;; U;; Linux x86_64;; en-US;; rv:1.9.1.8) Gecko/20100301 Fedora/3.0.3-1.fc11 Lightning/1.0b1 Thunderbird/3.0.3;] security - cmd=Auth; account=bob.smith@mycompany.com; protocol=http_basic; error=authentication failed for john, account lockout;
    2010-03-23 12:31:06,151 WARN  [btpool0-31374] [ip=50.24.49.30;ua=Mozilla/5.0 (X11;; U;; Linux x86_64;; en-US;; rv:1.9.1.8) Gecko/20100301 Fedora/3.0.3-1.fc11 Lightning/1.0b1 Thunderbird/3.0.3;] security - cmd=Auth; account=bob.smith@mycompany.com; protocol=http_basic; error=authentication failed for john, account lockout;
    Can anyone explain what these errors mean? Does it mean that someone is attempting to log into bob smiths email account from that IP address (I changed the IP address for this post)?

    Why does it say authentication failed for john? Is someone trying to log into that email account using the name john?

    Is this a hack attempt? You can see the log is recording this event happening multiple times every second... nonstop.

  2. #2
    raj's Avatar
    raj
    raj is offline Moderator
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    10

    Default

    Hi..your mail server is on the internet so ANYONE is allowed to authenticate and send email with VALID username and password.
    so what many many Spammers do is they try a dictionary hack and try known words and names with random easy passwords. if they LUCY they get in and then use that account to send SPAM out.

    what you seeing is a perfectly normal spammer behaviour and to your bad luck "bob.smith" seems to be an popular name which spammers what to try with different passwords ..making your account locked.

    no solution to this..you can try grey-listing the server and that will fend off many unwanted connections as spammer don't line to RETRY

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  3. #3
    liverpoolfcfan's Avatar
    liverpoolfcfan is online now Outstanding Member
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    710
    Rep Power
    6

    Default

    Is the IP Address in question a valid one for your user ? If so, there may be a less sinister explanation.

    I see from your messages that the user in question is using Thunderbird with Lightening.

    It is possible that the user has recently changed their network password but not updated the password Lightening uses to access the zimbra server. If Lightening tried to sync often enough in between logins in Thunderbird it could lock out the account.

    Please see thread below for details

    http://www.zimbra.com/forums/isync-c...-breaking.html

    I hope this helps

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. 2nd server redirects to the master on login
    By gilran in forum Administrators
    Replies: 6
    Last Post: 01-14-2013, 08:23 PM
  2. User login hangs up on Loading screen
    By marinew in forum Administrators
    Replies: 9
    Last Post: 07-14-2011, 08:53 PM
  3. [SOLVED] Clear text http login
    By powrrrplay in forum Administrators
    Replies: 2
    Last Post: 02-25-2010, 09:06 PM
  4. Replies: 4
    Last Post: 12-13-2007, 10:18 AM
  5. IMAP Login Problem
    By deckard in forum Users
    Replies: 2
    Last Post: 02-09-2006, 07:10 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •