RE: Strange Windows logon attempts

From: Bill Proffitt (bill_at_luckyeagle.com)
Date: 09/24/03

  • Next message: [POPLAR IT] Paul Teggart: "RE: [incidents] RE: AIM Password theft"
    To: 'Clive Kingston' <ckingston@cheviottrust.com>, incidents@securityfocus.com
    Date: Wed, 24 Sep 2003 12:14:33 -0700
    
    

    What was the IP range if I may ask?

    Thanks,
    Bill

    > -----Original Message-----
    > From: Clive Kingston [mailto:ckingston@cheviottrust.com]
    > Sent: Wednesday, September 24, 2003 2:11 AM
    > To: incidents@securityfocus.com
    > Subject: RE: Strange Windows logon attempts
    >
    >
    > Chris
    >
    > Similar attempts were recently made on our network, trying to
    > come in via
    > SMTP. I tracked the IP down to an elementary school network
    > in China, who
    > were responsible for an earlier hack attempt (fortunately
    > also failed). I
    > can't tell whether their network was the actual source or
    > merely an open
    > relay for someone else. I informed the registered supervisor
    > but haven't
    > received a reply (didn't really expect one). Must have got
    > bored after seven
    > minutes as the attempts stopped.
    >
    > What intrigued me was the rapid attempt rate, basically
    > every three to four
    > seconds. That has to be an automated hacking tool. It
    > alternated attempts at
    > Webmaster with \root. Maybe that's designed to exploit a Linux/Unix
    > platform?
    >
    > Anyway Chris, they didn't get in and no further attempts have
    > been made so
    > far. I've blocked the IP range.
    >
    >
    > Hope this helps some.
    >
    > Clive.
    > -----Original Message-----
    > From: chris emer [mailto:chris@hostmysite.com]
    > Sent: 23 September 2003 18:36
    > To: incidents@securityfocus.com
    > Subject: Re: Strange Windows logon attempts
    >
    >
    > In-Reply-To: <005301c37885$80b45030$0101010a@nmi.net>
    >
    > I have noticed on one of our servers that there were many
    > attempts to login
    > as "webmaster" in a very short time period. I checked 3 other
    > servers and
    > found the same thing. The time range for the attempted login
    > was between the
    > 19 Sept and the 23rd Sept. The login attempts were every 2 or
    > 3 seconds and
    > they never got in. They showed up in the event log with a
    > Event ID of 100
    > and a source SMTPSVC.
    >
    >
    >
    > I am keeping a close eye on this, any additional help or
    > suggestions would
    > be great.
    >
    >
    >
    > Chris
    >
    >
    >
    >
    >
    >
    > The information in this e-mail and any attachments is
    > confidential and may
    > be subject to legal professional privilege. It is intended
    > solely for the
    > attention and use of the named addressee(s). If you are not
    > the intended
    > recipient, please notify the sender immediately. Unless you are the
    > intended recipient or his/her representative you are not
    > authorised to, and
    > must not, read, copy, distribute, use or retain this message
    > or any part of
    > it. As the integrity of e-mail across the Internet cannot be
    > guaranteed
    > messages and documents sent via this medium are potentially
    > at risk. You
    > should perform your own virus checks before opening any attachments
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > --------------
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: [POPLAR IT] Paul Teggart: "RE: [incidents] RE: AIM Password theft"

    Relevant Pages

    • "Chris," "Earl" give hope of saving sitcoms
      ... NBC's My Name Is Earl and UPN's Everybody ... Hates Chris, as possible elixirs for an ailing institution. ... For a start, both shows rely on a single-camera style, which involves ... at that network: 'See, they don't work.' ...
      (rec.arts.tv)
    • Re: I AM IN NEED OF PHOTOGRAPHER HELP
      ... Internet originated in Europe. ... Chris, when one wishes to score points in a discussion, it is far better ... I can remember those early days when the British national network, ... British academic networking scene. ...
      (rec.photo.digital.slr-systems)
    • Re: Intermittent Network Connections
      ... Symantec Client security was blocking traffic from all ... DNS server, so I assume that it does not try and resolve ant DNS queries ... > Chris, thanks again. ... This being the case (i.e. not being external to the network), ...
      (microsoft.public.windows.server.sbs)
    • Re: Network connection is very slow, F7
      ... It was a cable problem. ... Chris, Thanks for your help. ... you if the problem is with the FTP service or the network. ... These 2 machines are connected in one small Hub. ...
      (Fedora)
    • RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)
      ... Said IT department now has to support the machine that he was told he ... MAC addresses of machines before they get connected to the network. ... The information contained in this email and any attachments is ... RNIB has made strenuous efforts to ensure that emails and any ...
      (Full-Disclosure)