Got a slew of these in the log yesterday.
Just curious if this looks like a serious attempt at compromising the system.
Yes, it does
11:47:09 1 SMTP {web} AUTH failed: password(54321) is wrong. Connection from [218.70.9.34:3101] 11:47:10 0 SYSTEM Account {web} Resources open failed. Error Code=-43 11:47:10 1 SMTP {web} AUTH failed: password(00000000) is wrong. Connection from [218.70.9.34:3101] 11:47:11 0 SYSTEM Account {web} Resources open failed. Error Code=-43 11:47:11 1 SMTP {web} AUTH failed: password(88888888) is wrong. Connection from [218.70.9.34:3101] 11:47:12 0 SYSTEM Account {web} Resources open failed. Error Code=-43 11:47:12 1 SMTP {web} AUTH failed: password(admin) is wrong. Connection from [218.70.9.34:3101] 11:47:12 0 SYSTEM Account {web} Resources open failed. Error Code=-43 11:47:12 1 SMTP {web} AUTH failed: password(root) is wrong. Connection from [218.70.9.34:3101] 11:47:13 0 SYSTEM Account {web} Resources open failed. Error Code=-43 11:47:13 1 SMTP {web} AUTH failed: password(pass) is wrong. Connection from [218.70.9.34:3101] 11:47:14 0 SYSTEM Account {web} Resources open failed. Error Code=-43 11:47:14 1 SMTP {web} AUTH failed: password(passwd) is wrong. Connection from [218.70.9.34:3101] 11:47:15 0 SYSTEM Account {web} Resources open failed. Error Code=-43 11:47:15 1 SMTP {web} AUTH failed: password(password) is wrong. Connection from [218.70.9.34:3101] 11:47:16 0 SYSTEM Account {web} Resources open failed. Error Code=-43 11:47:16 1 SMTP {web} AUTH failed: password(super) is wrong. Connection from [218.70.9.34:3101] 11:47:16 0 SYSTEM Account {web} Resources open failed. Error Code=-43 11:47:16 1 SMTP {web} AUTH failed: password([EMAIL PROTECTED]&*) is wrong. Connection from [218.70.9.34:3101] 11:47:17 0 SYSTEM Account {www} Resources open failed. Error Code=-43 11:47:17 1 SMTP {www} AUTH failed: password(www) is wrong. Connection from [218.70.9.34:3101]
Just curious. Thought it looked an awful like attempts at hacking the admin account or getting root level access, especially given the transition in the different passwords (the progression from pass to passwd for password).
The accounts being tried are the words in {} and the attack is one I warned of here 2 weeks ago.
The -43 errors are because there is no account with that name, hence a 'file not found' error from MacOS (which is -43)
The rest of the entries are much more convincing.
Looks like SIMS knocked them out, and that's fine, just was wondering.
It is a concern because they can go on like this all day long, and will. The conventional wisdom among spam-fighters is that a large slice of these attacks from Chinese address space are the work of Alan Ralsky, one of the sleaziest and most successful spammers around. Spam which looks like his work has been seen coming from addresses in China relayed through machines that look like they are not open relays, but frequently are running Exchange.
You're only real protection is a very strong postmaster password, few other guessable accounts that seem admin-like in name and for most people, a firewall block on 218.70.0.0/16.
-- Bill Cole [EMAIL PROTECTED]
############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
