[Intrusions] SMTP AUTH LOGIN attack
Andrew Daviel
andrew at andrew.triumf.ca
Sat May 20 00:59:50 GMT 2006
Just noticed e.g. the following
May 19 10:29:41 andrew sendmail[11872]: k4JHTaHS011872: [222.183.141.131]: possible SMTP attack: command=AUTH, count=5
As I recollect; AUTH LOGIN is the authentication mechanism used by
Microsoft products to e.g. relay email through corporate servers from
offsite. For Unix/Linux servers with simple sendmail configurations,
the username/password combinations will be also valid for shell access.
Hmm, seems like they are trying username=password= "webmaster", with
a couple of "webmaster12" thrown in. Not really all that high volume - I
see 50'ish attempts in 1 hour.
This recipe shows the decoded passwords:
tethereal -T text -V -r capfile |grep 's/.*Message: //'|mmencode -u
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
security at triumf.ca
More information about the Intrusions
mailing list