Identifying logins

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Identifying logins

Alex-325
Hi,

I have a squirrelmail-1.4.23 install that has been running fine on
fedora for a long time. I have the squirrel_logger plugin installed,
which I believe is the one responsible for writing to the
squirrelmail_access_log.

I'm trying to understand how the logins work:

Oct 2 09:22:28 [LOGIN] user1 (example.com) from 162.225.108.50:
Oct 2 09:51:23 [LOGIN] user1 (example.com) from 162.225.108.50:
Oct 2 10:15:23 [LOGIN] user1 (example.com) from 162.225.108.50:
Oct 2 10:33:47 [LOGIN] user1 (example.com) from 162.225.108.50:
Oct 2 10:51:06 [LOGIN] user1 (example.com) from 162.225.108.50:
Oct 2 11:59:54 [LOGIN] user1 (example.com) from 162.225.108.50:
Oct 2 12:32:32 [LOGIN] user1 (example.com) from 162.225.108.50:

There were no LOGOUT entries between each of these. How can I
determine what the typical "login" or "session" would be, not when
apparently the imap client logged in?

In other words, are these actual logins, or periodic checks by the
underlying IMAP client (dovecot)?

Why wouldn't the LOGOUT entries be recorded? There were a few, but
none within the three hours shown above.

Thanks,
Alex

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Identifying logins

Paul Lesniewski


On 2016年11月08日 19:12, Alex wrote:

> Hi,
>
> I have a squirrelmail-1.4.23 install that has been running fine on
> fedora for a long time. I have the squirrel_logger plugin installed,
> which I believe is the one responsible for writing to the
> squirrelmail_access_log.
>
> I'm trying to understand how the logins work:
>
> Oct 2 09:22:28 [LOGIN] user1 (example.com) from 162.225.108.50:
> Oct 2 09:51:23 [LOGIN] user1 (example.com) from 162.225.108.50:
> Oct 2 10:15:23 [LOGIN] user1 (example.com) from 162.225.108.50:
> Oct 2 10:33:47 [LOGIN] user1 (example.com) from 162.225.108.50:
> Oct 2 10:51:06 [LOGIN] user1 (example.com) from 162.225.108.50:
> Oct 2 11:59:54 [LOGIN] user1 (example.com) from 162.225.108.50:
> Oct 2 12:32:32 [LOGIN] user1 (example.com) from 162.225.108.50:
>
> There were no LOGOUT entries between each of these. How can I
> determine what the typical "login" or "session" would be, not when
> apparently the imap client logged in?
>
> In other words, are these actual logins, or periodic checks by the
> underlying IMAP client (dovecot)?

Your understanding should be correct. Actual IMAP logins happen once or
more per page view. There will be many more of those. Your user above is
displaying strange behavior. If you find that the user isn't actually
logging in at those times, I could look around the code.

> Why wouldn't the LOGOUT entries be recorded? There were a few, but
> none within the three hours shown above.

IIRC, the user needs to click on the signout link for this to happen,
and I don't think a lot of users do that.

--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Identifying logins

yu1234
This post has NOT been accepted by the mailing list yet.

How do you sall u box


From: Paul Lesniewski [via SquirrelMail] <ml-node+[hidden email]>
Sent: Wednesday, November 9, 2016 6:16:43 AM
To: yu1234
Subject: Re: Identifying logins
 


On 2016年11月08日 19:12, Alex wrote:

> Hi,
>
> I have a squirrelmail-1.4.23 install that has been running fine on
> fedora for a long time. I have the squirrel_logger plugin installed,
> which I believe is the one responsible for writing to the
> squirrelmail_access_log.
>
> I'm trying to understand how the logins work:
>
> Oct 2 09:22:28 [LOGIN] user1 (example.com) from 162.225.108.50:
> Oct 2 09:51:23 [LOGIN] user1 (example.com) from 162.225.108.50:
> Oct 2 10:15:23 [LOGIN] user1 (example.com) from 162.225.108.50:
> Oct 2 10:33:47 [LOGIN] user1 (example.com) from 162.225.108.50:
> Oct 2 10:51:06 [LOGIN] user1 (example.com) from 162.225.108.50:
> Oct 2 11:59:54 [LOGIN] user1 (example.com) from 162.225.108.50:
> Oct 2 12:32:32 [LOGIN] user1 (example.com) from 162.225.108.50:
>
> There were no LOGOUT entries between each of these. How can I
> determine what the typical "login" or "session" would be, not when
> apparently the imap client logged in?
>
> In other words, are these actual logins, or periodic checks by the
> underlying IMAP client (dovecot)?

Your understanding should be correct. Actual IMAP logins happen once or
more per page view. There will be many more of those. Your user above is
displaying strange behavior. If you find that the user isn't actually
logging in at those times, I could look around the code.

> Why wouldn't the LOGOUT entries be recorded? There were a few, but
> none within the three hours shown above.

IIRC, the user needs to click on the signout link for this to happen,
and I don't think a lot of users do that.

--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users


If you reply to this email, your message will be added to the discussion below:
http://squirrelmail.5843.n7.nabble.com/Identifying-logins-tp26418p26419.html
To start a new topic under squirrelmail-users, email ml-node+[hidden email]
To unsubscribe from SquirrelMail, click here.
NAML
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Identifying logins

Alex-325
In reply to this post by Paul Lesniewski
Hi,

>> I'm trying to understand how the logins work:
>>
>> Oct 2 09:22:28 [LOGIN] user1 (example.com) from 162.225.108.50:
>> Oct 2 09:51:23 [LOGIN] user1 (example.com) from 162.225.108.50:
>> Oct 2 10:15:23 [LOGIN] user1 (example.com) from 162.225.108.50:
>> Oct 2 10:33:47 [LOGIN] user1 (example.com) from 162.225.108.50:
>> Oct 2 10:51:06 [LOGIN] user1 (example.com) from 162.225.108.50:
>> Oct 2 11:59:54 [LOGIN] user1 (example.com) from 162.225.108.50:
>> Oct 2 12:32:32 [LOGIN] user1 (example.com) from 162.225.108.50:
>>
>> There were no LOGOUT entries between each of these. How can I
>> determine what the typical "login" or "session" would be, not when
>> apparently the imap client logged in?
>>
>> In other words, are these actual logins, or periodic checks by the
>> underlying IMAP client (dovecot)?
>
> Your understanding should be correct. Actual IMAP logins happen once or
> more per page view. There will be many more of those. Your user above is
> displaying strange behavior. If you find that the user isn't actually
> logging in at those times, I could look around the code.

This user's account was hacked. This is part of an investigation into
whether webmail was one of the sources of this hack.

We know submission was involved, but did not think webmail was a source as well.

Thanks,
Alex

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Loading...