RE: Strange Windows logon attempts

From: Clive Kingston (ckingston_at_cheviottrust.com)
Date: 09/24/03

  • Next message: Jonathan Harper: "Re: Port 9284"
    To: incidents@securityfocus.com
    Date: Wed, 24 Sep 2003 10:10:48 +0100
    
    

    Chris

    Similar attempts were recently made on our network, trying to come in via
    SMTP. I tracked the IP down to an elementary school network in China, who
    were responsible for an earlier hack attempt (fortunately also failed). I
    can't tell whether their network was the actual source or merely an open
    relay for someone else. I informed the registered supervisor but haven't
    received a reply (didn't really expect one). Must have got bored after seven
    minutes as the attempts stopped.

    What intrigued me was the rapid attempt rate, basically every three to four
    seconds. That has to be an automated hacking tool. It alternated attempts at
    Webmaster with \root. Maybe that's designed to exploit a Linux/Unix
    platform?

    Anyway Chris, they didn't get in and no further attempts have been made so
    far. I've blocked the IP range.

    Hope this helps some.

    Clive.
    -----Original Message-----
    From: chris emer [mailto:chris@hostmysite.com]
    Sent: 23 September 2003 18:36
    To: incidents@securityfocus.com
    Subject: Re: Strange Windows logon attempts

    In-Reply-To: <005301c37885$80b45030$0101010a@nmi.net>

    I have noticed on one of our servers that there were many attempts to login
    as "webmaster" in a very short time period. I checked 3 other servers and
    found the same thing. The time range for the attempted login was between the
    19 Sept and the 23rd Sept. The login attempts were every 2 or 3 seconds and
    they never got in. They showed up in the event log with a Event ID of 100
    and a source SMTPSVC.

    I am keeping a close eye on this, any additional help or suggestions would
    be great.

    Chris

    The information in this e-mail and any attachments is confidential and may
    be subject to legal professional privilege. It is intended solely for the
    attention and use of the named addressee(s). If you are not the intended
    recipient, please notify the sender immediately. Unless you are the
    intended recipient or his/her representative you are not authorised to, and
    must not, read, copy, distribute, use or retain this message or any part of
    it. As the integrity of e-mail across the Internet cannot be guaranteed
    messages and documents sent via this medium are potentially at risk. You
    should perform your own virus checks before opening any attachments

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Jonathan Harper: "Re: Port 9284"

    Relevant Pages

    • Re: Can I limit the bandwidth of a network interface with WIN32 API?
      ... a protocol driver gets a copy of the incoming and outgoing packets. ... By delaying or dropping those packets, it cannot delay the network traffic. ... not the intended recipient please notify the author by replying to this ...
      (microsoft.public.win32.programmer.networks)
    • Re: Restricting View of E-Mail Groups
      ... will only see the SMTP address of the DL. ... other users in the BCC field. ... intended recipient. ... network from viewing the e-mail addresses of other e-mail members in a given ...
      (microsoft.public.exchange2000.admin)
    • "Another" Newbie IDS Question
      ... Subject: "Another" Newbie IDS Question ... I run a "mostly NT network with the usual mix of workstations (NT, ... The information contained in this e-mail message is confidential, ... If the reader of this e-mail is not the intended recipient, ...
      (Focus-IDS)
    • RE: [fw-wiz] Interlopers on the WLAN
      ... insecure mechanisms, like WEP, to stop access to the network? ... > various other cybercrime laws. ... are not the intended recipient, you are hereby notified that any use, ... If you have received this communication in error, ...
      (Firewall-Wizards)
    • Re: Red Hat Enterprise Linux server fails to boot when connected to the network
      ... On 2/16/07, David Poole wrote: ... Enterprise Linux Version 4 server on it. ... However when it is connected to our network it freezes when booting up. ... intended recipient, please notify the sender immediately by e-mail or by ...
      (RedHat)