RE: Strange Windows logon attempts
From: Clive Kingston (ckingston_at_cheviottrust.com)
Date: 09/24/03
- Previous message: David Harper: "RE: Strange Windows logon attempts"
- Maybe in reply to: Chris Harrington: "Strange Windows logon attempts"
- Next in thread: Bill Proffitt: "RE: Strange Windows logon attempts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: incidents@securityfocus.com Date: Wed, 24 Sep 2003 10:10:48 +0100
Chris
Similar attempts were recently made on our network, trying to come in via
SMTP. I tracked the IP down to an elementary school network in China, who
were responsible for an earlier hack attempt (fortunately also failed). I
can't tell whether their network was the actual source or merely an open
relay for someone else. I informed the registered supervisor but haven't
received a reply (didn't really expect one). Must have got bored after seven
minutes as the attempts stopped.
What intrigued me was the rapid attempt rate, basically every three to four
seconds. That has to be an automated hacking tool. It alternated attempts at
Webmaster with \root. Maybe that's designed to exploit a Linux/Unix
platform?
Anyway Chris, they didn't get in and no further attempts have been made so
far. I've blocked the IP range.
Hope this helps some.
Clive.
-----Original Message-----
From: chris emer [mailto:chris@hostmysite.com]
Sent: 23 September 2003 18:36
To: incidents@securityfocus.com
Subject: Re: Strange Windows logon attempts
In-Reply-To: <005301c37885$80b45030$0101010a@nmi.net>
I have noticed on one of our servers that there were many attempts to login
as "webmaster" in a very short time period. I checked 3 other servers and
found the same thing. The time range for the attempted login was between the
19 Sept and the 23rd Sept. The login attempts were every 2 or 3 seconds and
they never got in. They showed up in the event log with a Event ID of 100
and a source SMTPSVC.
I am keeping a close eye on this, any additional help or suggestions would
be great.
Chris
The information in this e-mail and any attachments is confidential and may
be subject to legal professional privilege. It is intended solely for the
attention and use of the named addressee(s). If you are not the intended
recipient, please notify the sender immediately. Unless you are the
intended recipient or his/her representative you are not authorised to, and
must not, read, copy, distribute, use or retain this message or any part of
it. As the integrity of e-mail across the Internet cannot be guaranteed
messages and documents sent via this medium are potentially at risk. You
should perform your own virus checks before opening any attachments
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: David Harper: "RE: Strange Windows logon attempts"
- Maybe in reply to: Chris Harrington: "Strange Windows logon attempts"
- Next in thread: Bill Proffitt: "RE: Strange Windows logon attempts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
