Re: WARNING: A new attack to watch for

[Alan Sopczak]

I have seen the same thing and usually all I do is block the ip or, 
if I am have nothing better to do, set up my network to do a flood 
ping attack for a short burst (about 20 seconds) and this seems to 
cause the sender to shutdown. I have seen this in my logs a total of 
4 times now. I have no issue with ping flooding someone trying to get 
into my systems.

Good password/account management seems to solve this issue - oh and 
using a mac is a big plus also.

Thanks

At 11:08 PM -0400 10/14/03, Michael J. Stango wrote:
I've gotten a few attempts in recent weeks, most recently on October 3rd. My
log is usually about 10-20K per day, but October 3rd's was 60K.
I found this in the log:

----------
17:15:31 1 SMTP-207([218.70.9.3]) SPAM? Host is in the Blacklist
17:15:32 3 SMTP-207(dfasfd-vojmlg22) Failed to verify. Real address is
[218.70.9.3:2741]
17:15:36 0 SYSTEM Account {webmaster} Resources open failed. Error Code=-43
17:15:36 1 SMTP {webmaster} AUTH failed: password(webmaster) is wrong.
Connection from [218.70.9.3:2741]
17:15:41 0 SYSTEM Account {webmaster} Resources open failed. Error Code=-43
17:15:41 1 SMTP {webmaster} AUTH failed: password(webmaster12) is wrong.
Connection from [218.70.9.3:2741]
17:15:43 0 SYSTEM Account {webmaster} Resources open failed. Error Code=-43
17:15:43 1 SMTP {webmaster} AUTH failed: password(webmaster123) is wrong.
Connection from [218.70.9.3:2741]
17:15:45 0 SYSTEM Account {webmaster} Resources open failed. Error Code=-43
----------
And so on, until it finally stopped at 17:23:57. They try many basic account
names, and many fairly simple passwords for each.
Every time I've seen this crap in my logs, it has come from an IP in China,
so there's probably not much point in complaining to the ISP's abuse@
address. Starting with the October 3rd penetration attempt, I now create a
rule in IPNetSentry that denies all traffic from the attacking IP's
enclosing netblock.
~MJS

#############################################################
This message is sent to you because you are subscribed to
  the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>


#############################################################
This message is sent to you because you are subscribed to
 the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>