Where to look for more logging detail

kellytrinh · March 15, 2020, 11:24pm

Hey folks.

Got MiaB humming along over a few domains.

Got the logs and having a peek at content and notice the following:

User logins per hour
════════════════════

                              pop3 imap mana │ timespan

─────────────────────────────────────────────────┼─────────
xxxx@xxx.com 1.3 0.3 0.0 │ 7.0 days
─────────────────────────────────────────────────┼─────────
Totals: 1.3 0.3 0.0 │ 6.96 days
┬ totals by time of day:
│ hour 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
│ pop3 7 6 6 6 8 6 7 5 7 6 6 6 7 7 12 18 25 21 11 7 8 5 7 7
│ imap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 57 0 0 0 0 0 0 0 0 0
│ mana 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0
└─────────────────────────────────────────────────────────────────────────────

Something periodic for pop3 expected (I am using gmail to pull mailbox content) but what really stands out is the 57 IMAP accesses at 1400. Gmail doesn’t do IMAP for pulling emails so I am really wondering what happened there.

IS there anyway I can look into further what happened?

alento · March 15, 2020, 11:40pm

I highly recommend installing pflogsumm however that won’t answer your specific question.

If you can handle reading the pure log files they are located at /var/log/mail.log*

As for a guess, is it possible that you or someone was logged in to webmail? As you can see from the sample log that @openletter posted, the webmail client connects every minute.

openletter · March 15, 2020, 11:41pm

/var/log/mail.log

You should see stuff like:

Mar 10 05:57:31 imap-login: Info: Login: user=<username@example.com>, method=PLAIN, rip=<IP address>, lip=<IP address>, mpid=6826, TLS, session=<3VylqX+giCCmqijh>
Mar 10 05:57:31 imap-login: Info: Login: user=<username@example.com>, method=PLAIN, rip=<IP address>, lip=<IP address>, mpid=6827, TLS, session=<gtSlqX+gQEmmqijh>
Mar 10 05:57:31 imap(username@example.com): Info: Connection closed (UID SEARCH finished 0.096 secs ago) in=54 out=733
Mar 10 05:57:31 imap(username@example.com): Info: Connection closed (LIST finished 0.121 secs ago) in=23 out=712
Mar 10 05:57:31 imap-login: Info: Login: user=<username@example.com>, method=PLAIN, rip=<IP address>, lip=<IP address>, mpid=6829, TLS, session=<HO2xqX+gfjCmqijh>
Mar 10 05:58:35 imap-login: Info: Login: user=<username@example.com>, method=PLAIN, rip=<IP address>, lip=<IP address>, mpid=6837, TLS, session=<7+uDrX+g5/Cmqijh>
Mar 10 05:58:36 imap-login: Info: Login: user=<username@example.com>, method=PLAIN, rip=<IP address>, lip=<IP address>, mpid=6838, TLS, session=<//eErX+ggp+mqijh>
Mar 10 05:58:36 imap(username@example.com): Info: Connection closed (LIST finished 0.136 secs ago) in=23 out=674
Mar 10 05:58:36 imap(username@example.com): Info: Connection closed (UID SEARCH finished 0.121 secs ago) in=54 out=767

kellytrinh · March 16, 2020, 12:03am

I am ok with simple stuff - I looked into that file and couldn’t find anything that says imap (at least; grep didn’t find anything lol)

Not sure whether to be more worried now that whether it is someone is skilled enough to be covering tracks (or more realistically; there is something else happening that is causing that summary)

Anyway; did a change in password for now and see how it goes in future - it isn’t critical infrastructure so can monitor for a while more before thinking of further steps…

openletter · March 16, 2020, 12:06am

It is probably in an archive file:

$ ll /var/log/mail.log*
-rw-r----- 1 syslog adm  118538 Mar 15 17:02 /var/log/mail.log
-rw-r----- 1 syslog adm 1647512 Mar 15 17:04 /var/log/mail.log.1
-rw-r----- 1 syslog adm  333708 Mar 10 03:00 /var/log/mail.log.2.gz
-rw-r----- 1 syslog adm  371177 Mar  2 03:00 /var/log/mail.log.3.gz
-rw-r----- 1 syslog adm  641172 Feb 25 03:00 /var/log/mail.log.4.gz