Username character disallowed by auth_username_chars: 0x13

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Username character disallowed by auth_username_chars: 0x13

Alex Regan
Hi, I'm receiving the following messages in my mail logs that I
haven't seen before:

Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21):
Username character disallowed by auth_username_chars: 0x13 (username:
AB?)
Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21):
Username character disallowed by auth_username_chars: 0x13 (username:
AB?)

There's thousands of them, from hundreds of different IP addresses. I
suspect it's an exploit attempt, but does anyone know which?

I've added a fail2ban entry, but I'd also like to make sure my dovecot
is not vulnerable. This is on a fc25 system with all updates.
Reply | Threaded
Open this post in threaded view
|

Re: Username character disallowed by auth_username_chars: 0x13

Aki Tuomi-2

> On November 29, 2017 at 5:58 AM Alex <[hidden email]> wrote:
>
>
> Hi, I'm receiving the following messages in my mail logs that I
> haven't seen before:
>
> Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21):
> Username character disallowed by auth_username_chars: 0x13 (username:
> AB?)
> Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21):
> Username character disallowed by auth_username_chars: 0x13 (username:
> AB?)
>
> There's thousands of them, from hundreds of different IP addresses. I
> suspect it's an exploit attempt, but does anyone know which?
>
> I've added a fail2ban entry, but I'd also like to make sure my dovecot
> is not vulnerable. This is on a fc25 system with all updates.

0x13 is carriage return, so it could just be a mistake in the spam robots code.

Aki
Reply | Threaded
Open this post in threaded view
|

Re: Username character disallowed by auth_username_chars: 0x13

Alex Regan
Hi,

On Wed, Nov 29, 2017 at 12:18 AM, Aki Tuomi <[hidden email]> wrote:

>
>> On November 29, 2017 at 5:58 AM Alex <[hidden email]> wrote:
>>
>>
>> Hi, I'm receiving the following messages in my mail logs that I
>> haven't seen before:
>>
>> Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21):
>> Username character disallowed by auth_username_chars: 0x13 (username:
>> AB?)
>> Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21):
>> Username character disallowed by auth_username_chars: 0x13 (username:
>> AB?)
>>
>> There's thousands of them, from hundreds of different IP addresses. I
>> suspect it's an exploit attempt, but does anyone know which?
>>
>> I've added a fail2ban entry, but I'd also like to make sure my dovecot
>> is not vulnerable. This is on a fc25 system with all updates.
>
> 0x13 is carriage return, so it could just be a mistake in the spam robots code.

It turned out there was a carriage return in the GCOS field of one of
the users in the password file, and for every dovecot login there was
an entry similar to the above in the logs.