I get a lot of the following in my /var/log/httpd/ispconfig_access_log www.domain.com||||1181||||76.181.99.134 - - [30/Aug/2010:03:13:08 -0500] "POST /.cod6xo/?action=fbgen&v=126&crc=669 HTTP/1.1" 404 1181 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )" www.domain.com||||1181||||92.17.223.164 - - [30/Aug/2010:03:13:08 -0500] "POST /.cod6xo/?action=fbgen&v=126&crc=669 HTTP/1.1" 404 1181 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )" www.domain.com||||1181||||69.19.14.33 - - [30/Aug/2010:03:13:12 -0500] "POST /.cod6xo/?action=fbgen&v=126&crc=669 HTTP/1.1" 404 1181 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )" also I have a lot of attempts to send mail to unknown users on one particular domain. And only on that domain. No attempts tried on any other domains I host. Is there any way to stop this. The logs follow. Aug 30 03:18:05 srv1 postfix/smtpd[3702]: NOQUEUE: reject: RCPT from unknown[113.22.254.197]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in local recipient table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<FLLUPLGT> Aug 30 03:18:06 srv1 postfix/smtpd[3702]: NOQUEUE: reject: RCPT from unknown[113.22.254.197]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in local recipient table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<FLLUPLGT> can you give me any insight on how to stop this action. Fordwrench ps both of these attempts are on the same domain. No other domains. I am about to take the domain down because of the traffic it generates.
404 attempts are error codes. Don't worry about it. You can keep a eye on it to see what kind of holes are theu looking for. Postfix error is common when a user doesn't exis. You can always tweak your postfix with spf and antispam tweaks. Try to searh forum or google.
113.22.254.197 is on a lot of spam lists you could add some RBL checks in postfix .. to block those ip's right away (because if they hit a existing user, they'll get the mail) try adding these lines to your main.cf under "smtpd_recipient_restrictions" Code: reject_rbl_client virbl.dnsbl.bit.nl, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org and as damir pointed already out, those 404's aren't really something to worry about ..
And if you have phpmyadmin installed, ensure that you updated to the latest version: http://www.howtoforge.com/forums/showthread.php?t=47423
I guess I should tell what setup I have. Debian 4.0 with Ispconfig 2 (the latest) I asked in here because of that, and I have done a lot of searching of forums and google. I just added htaccess file that blocks all ip's other than USA, and that has helped a lot. But now they are trying with proxyed or spoofed ip's. I know that they are hacking attempts because they have succeeded before and put hidden folders in my web that have xml exploits. This is not just a few random hacking attempts, they are hitting this domain hard and eats a lot of network bandwidth. I would like to set a bomb and have them download it and really fix them, but I would be satisfied with just thwarting their efforts to penetrate my system. Thanks for you help sofar, I will try what you recommended and if you have any other suggestions please give them. Fordwrench