We're seeing the same here. It's intensity is not that big however. They try to authenticate with addresses of domains we host. Checking these accounts on haveibeenpwned, they all seem to have leaked from the Verifications.io breach. Also posgres together with ssh seems to be the common opened ports on those IP's.
https://securitydiscovery.com/800-million-emails-leaked-online-by-email-verification-service/ Regards, Frido Op 02-04-19 om 03:41 schreef Michael Peddemors: > Someone thinks it funny to do it on April Fools.. > > Attacks Port 587, uses an EHLO of server.com, looks to be router > compromises, but instead of the typical distributed low volume this > one is hitting hard.. But see some other types of Linux Servers as well.. > > Most rate limiter type tools are probably going to trigger on this one > a lot.. > > Sample Clipped Log Entry: > > Apr 1 18:04:09 fe1 msd[14084]: Linux Magic SMTPD started: connection > from 176.53.90.210 REQUIREAUTH (192.168.0.204:587) Linux 3.11 and ne > Apr 1 18:04:09 fe1 msd[14084]: GeoIP country code[176.53.90.210] = "TR" > Apr 1 18:04:09 fe1 msd[14084]: EHLO command received, args: server.com > Apr 1 18:04:10 fe1 msd[14084]: auth failed: > Apr 1 18:04:15 fe1 msd[14084]: smtp_read_command() internal error > [-1]: Connection reset by peer > Apr 1 18:04:15 fe1 msd[14084]: Exiting (bytes in: 77 out: 212) > > Nmap scan report for server-176.53.90.210.as42926.net (176.53.90.210) > Host is up (0.20s latency). > Not shown: 992 closed ports > PORT STATE SERVICE > 22/tcp open ssh > 80/tcp open http > 5432/tcp open postgresql > 9000/tcp open cslistener > 9001/tcp open tor-orport > 9002/tcp open dynamid > 9003/tcp open unknown > 9099/tcp open unknown > > Nmap scan report for host72-130-107-176.static.arubacloud.pl > (176.107.130.72) > Host is up (0.17s latency). > Not shown: 995 closed ports > PORT STATE SERVICE > 22/tcp open ssh > 80/tcp open http > 179/tcp filtered bgp > 5432/tcp open postgresql > 8080/tcp open http-proxy > > What's in common? postgresql.. > > > Page loads to 'My First OSM' > > Haven't had a chance to see if this overlays other previous bots.. > _______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
