[email protected] (mj), 2018.10.31 (Wed) 15:16 (CET): > We have noticed lines like the following in our sogo logs: > > Wed Oct 31 12:33:06 CET 2018 Oct 31 12:33:06 sogod [25987]: > > <0x0x55e5d005b120[SOGoWebAuthenticator]> tried wrong password for > > user > > '+xIpPJifKpSoK0Yez1t6b3G/5wmx7uWGx7RbDKRof+7gcXgU4vK1++l/NG4YGKZNbryHUf9cNdsKPahmogY6cD1O37hK9klMQe9T8vJ9H860n7vq+p3yIgQu01pSp+N6WyxGxu1pCtTu6dWk85wRT/fOZWTi+bE339XmGQZUsKOmKRzWVCjQ4nsZ+Mr0GfSAFCSWJy6EeCYujPcEyC42cQ=='! > > SOGo works beautifully, but we wonder what hese log lines mean. The username > is obviously so strange, that it is very unlikely someone mistyping his/her > username.
Maybe you are being fuzzed by some web vulnerability scanner... At first sight I thought it might be base64 encoded, but decoding it gives just utf8 garbage. The two "==" at the end look like the end of all of my ssh keys. > Does anyone recognise this as something SOGo-internal, perhaps..? No! > We are using SOGo for regular (email/calendar) web access, plus ActiveSync > and some carddav/caldav. Unfortunately, no IP is logged with the lines. > (they appear at irregular times/frequencies) You are running sogo behind a reverse proxy, go for the log files of this daemon and correlate to get the IP! Marcus -- [email protected] https://inverse.ca/sogo/lists
