Where to look for a virus that picks up Exim passwords?

P

photosho2021-10-05 17:15:32

linux

photosho, 2021-10-05 17:15:32

In "var/log/exim", the "main.log" log grew by 170,000 entries in one day. I think some kind of virus has entered and is trying to guess passwords. Messages in the log are of the following type:

2021-10-05 16:56:49 no host name found for IP address 31.130.184.147
2021-10-05 16:56:49 no host name found for IP address 31.130.184.76
2021-10-05 16:56:50 auth_login authenticator failed for (localhost) [31.130.184.194]: 535 Incorrect authentication data ([email protected])
2021-10-05 16:56:50 auth_login authenticator failed for (localhost) [31.130.184.198]: 535 Incorrect authentication data ([email protected])

"site.ru" - site on the server. The log is updated with very small time intervals (almost every second). Looked at cron jobs in "var/spool/cron" and didn't find anything. What could it be and where to look for launch scripts?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alexander Falaleev, 2021-10-05
@photosho

Why a virus? According to the log, it is clear that they are trying to connect from the outside.
fail2ban fresh with a "progressive" ban will quickly block the enemy's ip first for hours, then for days and then for months
:)

C

CityCat4, 2021-10-05
@CityCat4

Damn, it's just that someone attacks you, that's all. I periodically shoot them, though I turn them off manually - immediately and forever. I can share the list for ipset.