Thanks to all who responded.
I thought that's what it looked like, but wanted to be sure.
Thanks again, all.
Chris
> From: Bill Cole <[EMAIL PROTECTED]>
> Reply-To: "SIMS Discussions" <[EMAIL PROTECTED]>
> Date: Tue, 28 Oct 2003 21:31:09 -0500
> To: "SIMS Discussions" <[EMAIL PROTECTED]>
> Subject: Re: DDoS?
>
> At 5:03 PM -0600 10/28/03, Chris Wagner imposed structure on a
> stream of electrons, yielding:
>> Got a slew of these in the log yesterday.
>>
>> Just curious if this looks like a serious attempt at compromising the
>> system.
>
> Yes, it does
>
>> 11:47:09 1 SMTP {web} AUTH failed: password(54321) is wrong. Connection from
>> [218.70.9.34:3101]
>> 11:47:10 0 SYSTEM Account {web} Resources open failed. Error Code=-43
>> 11:47:10 1 SMTP {web} AUTH failed: password(00000000) is wrong. Connection
>> from [218.70.9.34:3101]
>> 11:47:11 0 SYSTEM Account {web} Resources open failed. Error Code=-43
>> 11:47:11 1 SMTP {web} AUTH failed: password(88888888) is wrong. Connection
>> from [218.70.9.34:3101]
>> 11:47:12 0 SYSTEM Account {web} Resources open failed. Error Code=-43
>> 11:47:12 1 SMTP {web} AUTH failed: password(admin) is wrong. Connection from
>> [218.70.9.34:3101]
>> 11:47:12 0 SYSTEM Account {web} Resources open failed. Error Code=-43
>> 11:47:12 1 SMTP {web} AUTH failed: password(root) is wrong. Connection from
>> [218.70.9.34:3101]
>> 11:47:13 0 SYSTEM Account {web} Resources open failed. Error Code=-43
>> 11:47:13 1 SMTP {web} AUTH failed: password(pass) is wrong. Connection from
>> [218.70.9.34:3101]
>> 11:47:14 0 SYSTEM Account {web} Resources open failed. Error Code=-43
>> 11:47:14 1 SMTP {web} AUTH failed: password(passwd) is wrong. Connection
>> from [218.70.9.34:3101]
>> 11:47:15 0 SYSTEM Account {web} Resources open failed. Error Code=-43
>> 11:47:15 1 SMTP {web} AUTH failed: password(password) is wrong. Connection
>> from [218.70.9.34:3101]
>> 11:47:16 0 SYSTEM Account {web} Resources open failed. Error Code=-43
>> 11:47:16 1 SMTP {web} AUTH failed: password(super) is wrong. Connection from
>> [218.70.9.34:3101]
>> 11:47:16 0 SYSTEM Account {web} Resources open failed. Error Code=-43
>> 11:47:16 1 SMTP {web} AUTH failed: password([EMAIL PROTECTED]&*) is wrong.
>> Connection
>> from [218.70.9.34:3101]
>> 11:47:17 0 SYSTEM Account {www} Resources open failed. Error Code=-43
>> 11:47:17 1 SMTP {www} AUTH failed: password(www) is wrong. Connection from
>> [218.70.9.34:3101]
>>
>> Just curious.
>> Thought it looked an awful like attempts at hacking the admin account or
>> getting root level access, especially given the transition in the different
>> passwords (the progression from pass to passwd for password).
>
> The accounts being tried are the words in {} and the attack is one I
> warned of here 2 weeks ago.
>
> The -43 errors are because there is no account with that name, hence
> a 'file not found' error from MacOS (which is -43)
>
>> The rest of the entries are much more convincing.
>>
>> Looks like SIMS knocked them out, and that's fine, just was wondering.
>
> It is a concern because they can go on like this all day long, and
> will. The conventional wisdom among spam-fighters is that a large
> slice of these attacks from Chinese address space are the work of
> Alan Ralsky, one of the sleaziest and most successful spammers
> around. Spam which looks like his work has been seen coming from
> addresses in China relayed through machines that look like they are
> not open relays, but frequently are running Exchange.
>
> You're only real protection is a very strong postmaster password, few
> other guessable accounts that seem admin-like in name and for most
> people, a firewall block on 218.70.0.0/16.
>
> --
> Bill Cole
> [EMAIL PROTECTED]
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <[EMAIL PROTECTED]>.
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to <[EMAIL PROTECTED]>
>
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
