Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Sorry - not ISP - shared web host provider. There's only one e-mail account - mine! I use my laptop and iphone to access via IMAP. The attached file shows the recorded usage in August, Sept and October
It's very likely that control-panel software is being used as the attack vector. Most unfortunately, that's very easily done. I wasn't paying close attention to a dedicated-server a few months ago (set it up in-haste ...) and that's exactly how it was penetrated; root-kitted, even.
Thanks Habitual, very helpful, they did mail me a link to a log file, but guess what? It's on my server! So I currently can't access, I do remember that it was very small, only from today and only seemed to contain stuff I'd been e-mailing, so not much help. I'm currently waiting for the 'Senior Technical Support' to update me on this issue.
I suppose there might be a bug in their accounting software?
Thanks Habitual, very helpful, they did mail me a link to a log file, but guess what? It's on my server! So I currently can't access, I do remember that it was very small, only from today and only seemed to contain stuff I'd been e-mailing, so not much help. I'm currently waiting for the 'Senior Technical Support' to update me on this issue.
I suppose there might be a bug in their accounting software?
Dunno about bugs.
Ask them to mail you the log to some other email address NOT hosted on that server.
Also, ask them if 15G is "normal" for an IMAP account being used by a laptop and iphone setup/configuration.
It seems a little "excessive" to me. POP[3] yes, IMAP, not so sure.
Here's the logfile - the funny thing is that my e-mail is still working, so I guess the IMAP traffic's still going up, which makes a bit of a mockery of their 'controls'
The provided log is too short and it only shows 1 day's? email with 12 log entries.
It doesn't contain anything other than exim (Mail Transport Agent, or MTA) strings and codes.
I'd ask them to provide an accurate bandwidth Report and I wouldn't settle on pretty graphics either. Tell them your accountant wants them. ReportsnotGraphs
Sep = 61.88 Megs
Oct = 15.04 Gigs
So, it is my estimate with what details I have here, that unless tradkonsult.com does LOTS of emailing, there seems to be a disconnect with 15.04 Gigs of "usage" over IMAP.
I do very little mailing (20ish per day). Interestingly 'bandwidth' went up by nearly 4GB last night when my site was blocked, my computers/phone off and me in bed! So at least the provider now seems to be focussing in the right area - they've restored my site and say that they're logging the mail traffic. Nice tip about the report - I'll try that, and post anything I get here.
It's been quite a learning curve, and I've realised I really don't need joomla for my little site, so will rework in php/html with no db. Should be pretty secure, eh?
"I have investigated the issue on server and it seems IMAP usage for your domain is increased due to email service on server swaitched from courier to dovcot.
Temporarily I have increased bandwidth for your domain so that you will not face bandwidth exceed message on site.
Also while monitoring the logs on server there is no spamming found from your account."
Not quite sure what this means, but sounds like they're admitting it's a problem they've created?
"I have investigated the issue on server and it seems IMAP usage for your domain is increased due to email service on server swaitched from courier to dovcot.
Temporarily I have increased bandwidth for your domain so that you will not face bandwidth exceed message on site.
Also while monitoring the logs on server there is no spamming found from your account."
Not quite sure what this means, but sounds like they're admitting it's a problem they've created?
"courier to dovcot. Temporarily I have increased bandwidth for your domain"
Temporarily? and then?
I can only presume that:
Sep = 61.88 Megs = courier
Oct = 15.04 Gigs = dovecot
If memory serves me correctly, we had an issue like this over at Hostforweb.com and if my memory serves well, I think they had to re-run quotas for all Whm/Cpanel accounts.
They switched to dovecot also and smth just like this event occurred also.
Shame it takes them so long to work this out - i.e. since last Thursday, plus they made me pay for an upgrade. I've asked them your question, plus asked for a refund. Will let you know what they say.
"I have investigated the issue on server and it seems IMAP usage for your domain is increased due to email service on server swaitched from courier to dovcot.
Temporarily I have increased bandwidth for your domain so that you will not face bandwidth exceed message on site.
Also while monitoring the logs on server there is no spamming found from your account."
Not quite sure what this means, but sounds like they're admitting it's a problem they've created?
It means a Level I tech support answer. But I don't think it is a canned response due to the mis-spelling of "swaitched" and "dovcot".
"Temporary..." he or she said also says I have no power but to act on this ticket. Temporary is a band-aid.
Temporary is unacceptable and you should more than ask for a refund, I'd ask for Credit.
The hosting "game" is chock full of willing businesses that would not charge you for an upgrade you had no control over, so why should your current provider? Did you order the upgrade to dovecot?
Is there a Billing Code for an upgrade to dovecot? Was notification sent to the (no doubt) 100s+ of shared hosting accounts about this (planned?) upgrade?
They blew up your bandwidth, not you.
Also ask if the "trend" of 15.04 Gigs usage for what little email you do send, the the "new normal" for dovecot.
Just like this forum is great for all things Linux, I'd like to suggest another high-power site called http://www.webhostingtalk.com/
The hosting business companies and practices can be compared there.
I'm afraid I'm very low-tech
(..)
I'm really struggling to get the reseller to explain what's going on
(..)
my provider made me upgrade my plan
IMHO these quotes represent the core problem:
- Being new to Linux is not a problem but neither should it be used as an excuse. The question is if the you want to learn to use Linux like it is intended or not. If you don't then similar or worse problems may creep up elsewhere without noticing until it's (again) too late.
- Low-cost hosting providers and resellers pitch Linux + web-based management as cheap, easy and convenient without mentioning that's only the case for those that already possess enough Linux knowledge to understand the consequences. Without Linux (admin) knowledge the only thing those users are is easy prey.
- Unless you've got a bare bones contract unsupportive parties are usually a good indication of them being understaffed but more likely they are focused (on your money I mean), flaky, negligent. Apart from accepting an upgrade based on no evidence at all being a poor (business) choice, it also constitutes some basic form of agreement. (And while this thread started off well by asking for log files IMHO there has been too much speculation for my taste.) And I strongly doubt without proper log file evidence requesting remediation may be a possibility. I'd suggest you invest in gaining enough Linux admin knowledge to know what you're doing, chalk this one up as a lesson learned, vote with your wallet and move on.
*One note: best not use .htaccess files for blocking hosts: it's a performance drain, it's inefficient, slow. If you must block IP addresses use the Netfilter raw table PREROUTING chain, or more efficient (if your machine provides it), an ipset.
Have to disagree unSpawn - I think the 'core' problem lay with my web hosting provider. I take your point re. logs, but as they wouldn't forward them to me, what could I do? I'm very grateful for the help I received here, which has helped me in my dealings with the provider. I just received this from them:
"As we have switch the server from courier to dovcot all of the courier logs has been cleared. Switching mail servers may cause some mail clients to redownload all stored mail messages for the account. This is primarily is seen with POP3 configured accounts, which sometimes usages the bandwidth.
Please accept my sincere apologies for the inconvenience caused to you. The bandwidth limit will be reset tomorrow for all f the accounts on server and you should not face any more problems."
so I'll mark the thread as solved.
Thanks again all!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.