RE: Strange Windows logon attempts
From: Bill Proffitt (bill_at_luckyeagle.com)
Date: 09/24/03
- Previous message: Rick Updegrove: "Re: AIM Password theft"
- Maybe in reply to: Chris Harrington: "Strange Windows logon attempts"
- Next in thread: Alain Fauconnet: "Re: Cacheflow proxy abuse (revisited)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: 'Clive Kingston' <ckingston@cheviottrust.com>, incidents@securityfocus.com Date: Wed, 24 Sep 2003 12:14:33 -0700
What was the IP range if I may ask?
Thanks,
Bill
> -----Original Message-----
> From: Clive Kingston [mailto:ckingston@cheviottrust.com]
> Sent: Wednesday, September 24, 2003 2:11 AM
> To: incidents@securityfocus.com
> Subject: RE: Strange Windows logon attempts
>
>
> Chris
>
> Similar attempts were recently made on our network, trying to
> come in via
> SMTP. I tracked the IP down to an elementary school network
> in China, who
> were responsible for an earlier hack attempt (fortunately
> also failed). I
> can't tell whether their network was the actual source or
> merely an open
> relay for someone else. I informed the registered supervisor
> but haven't
> received a reply (didn't really expect one). Must have got
> bored after seven
> minutes as the attempts stopped.
>
> What intrigued me was the rapid attempt rate, basically
> every three to four
> seconds. That has to be an automated hacking tool. It
> alternated attempts at
> Webmaster with \root. Maybe that's designed to exploit a Linux/Unix
> platform?
>
> Anyway Chris, they didn't get in and no further attempts have
> been made so
> far. I've blocked the IP range.
>
>
> Hope this helps some.
>
> Clive.
> -----Original Message-----
> From: chris emer [mailto:chris@hostmysite.com]
> Sent: 23 September 2003 18:36
> To: incidents@securityfocus.com
> Subject: Re: Strange Windows logon attempts
>
>
> In-Reply-To: <005301c37885$80b45030$0101010a@nmi.net>
>
> I have noticed on one of our servers that there were many
> attempts to login
> as "webmaster" in a very short time period. I checked 3 other
> servers and
> found the same thing. The time range for the attempted login
> was between the
> 19 Sept and the 23rd Sept. The login attempts were every 2 or
> 3 seconds and
> they never got in. They showed up in the event log with a
> Event ID of 100
> and a source SMTPSVC.
>
>
>
> I am keeping a close eye on this, any additional help or
> suggestions would
> be great.
>
>
>
> Chris
>
>
>
>
>
>
> The information in this e-mail and any attachments is
> confidential and may
> be subject to legal professional privilege. It is intended
> solely for the
> attention and use of the named addressee(s). If you are not
> the intended
> recipient, please notify the sender immediately. Unless you are the
> intended recipient or his/her representative you are not
> authorised to, and
> must not, read, copy, distribute, use or retain this message
> or any part of
> it. As the integrity of e-mail across the Internet cannot be
> guaranteed
> messages and documents sent via this medium are potentially
> at risk. You
> should perform your own virus checks before opening any attachments
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Rick Updegrove: "Re: AIM Password theft"
- Maybe in reply to: Chris Harrington: "Strange Windows logon attempts"
- Next in thread: Alain Fauconnet: "Re: Cacheflow proxy abuse (revisited)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
