[Dshield] SMTP (port 25) attack wave?

% chris@LgonQn.Org % chris at LGonQn.org
Fri Aug 30 14:50:07 GMT 2002


Since late yesterday I've seen a 3-4 fold increase in the number of
bogus smtp connects to our system. I find that many of the source
addresses are in the Dshield attacker database. 

Is there a new sendmail issue I should be aware of?

Didn't see anything on bugtraq, but its worrisome... did
I somehow get on a target list or is my bliss shared :(

Chris

Heres the pattern of bogies over the last few weeks:

Aug 19 13:28:14 14070 unused-182.wan-ip-uslec.net started
Aug 19 13:28:14 14070 HELO mail2.ultmail.net
Aug 19 13:28:16 14070 eof waiting for command
Aug 19 13:28:16 14070 end

Aug 19 20:12:02 18475 unused-181.wan-ip-uslec.net started
Aug 19 20:12:02 18475 HELO mail.ultmail.com
Aug 19 20:12:03 18475 eof waiting for command
Aug 19 20:12:03 18475 end

Aug 20 22:48:29 6072 128.241.247.219 started
Aug 20 22:48:29 6072 HELO goalquest.com
Aug 20 22:48:30 6072 end

Aug 21 12:09:34 15246 199.239.79.214 started
Aug 21 12:09:37 15246 HELO blast2.ads
Aug 21 12:09:38 15246 eof waiting for command
Aug 21 12:09:38 15246 end

Aug 21 14:17:33 16738 hermes.sun.com started
Aug 21 14:17:33 16738 HELO hermes.sun.com
Aug 21 14:17:33 16738 eof waiting for command
Aug 21 14:17:33 16738 end

Aug 21 14:37:14 16943 rdns-205-244-69-98.overlycute.com started
Aug 21 14:37:14 16943 HELO mail.adcoms.com
Aug 21 14:37:15 16943 eof waiting for command
Aug 21 14:37:15 16943 end

Aug 21 14:50:05 17077 dialin-151-134.tor.primus.ca started
Aug 21 14:50:05 17077 HELO 216.254.151.134
Aug 21 14:50:06 17077 end

Aug 22 06:45:31 27838 rdns-205-244-69-99.target-news.com started
Aug 22 06:45:31 27838 HELO 205.244.69.99
Aug 22 06:45:31 27838 eof waiting for command
Aug 22 06:45:31 27838 end

Aug 22 10:01:05 29944 adsl-157-198-83.dab.bellsouth.net started
Aug 22 10:01:05 29944 eof waiting for command
Aug 22 10:01:05 29944 end

Aug 22 22:59:37 8530 rdns-205-244-69-98.overlycute.com started
Aug 22 22:59:38 8530 HELO mail.adcoms.com
Aug 22 22:59:41 8530 eof waiting for command
Aug 22 22:59:41 8530 end

Aug 23 09:33:46 15986 hostingtron.com started
Aug 23 09:33:47 15986 HELO mail.ultmail.com
Aug 23 09:33:47 15986 eof waiting for command
Aug 23 09:33:47 15986 end

Aug 23 11:19:32 17096 rdns-205-244-69-98.overlycute.com started
Aug 23 11:19:32 17096 HELO mail.adcoms.com
Aug 23 11:19:33 17096 eof waiting for command
Aug 23 11:19:33 17096 end

Aug 23 18:11:01 21673 adsl-157-194-98.dab.bellsouth.net started
Aug 23 18:11:01 21673 HELO mx04.hotmail.com
Aug 23 18:11:02 21673 end

Aug 25 10:36:38 19638 hostingtron.com started
Aug 25 10:36:39 19638 HELO mail.ultmail.com
Aug 25 10:36:39 19638 eof waiting for command
Aug 25 10:36:39 19638 end

Aug 25 10:40:05 19666 hostingtron.com started
Aug 25 10:40:05 19666 HELO mail.ultmail.com
Aug 25 10:40:06 19666 eof waiting for command
Aug 25 10:40:06 19666 end

Aug 25 20:41:27 26455 rdns-205-244-69-98.overlycute.com started
Aug 25 20:41:27 26455 HELO mail.adcoms.com
Aug 25 20:41:28 26455 eof waiting for command
Aug 25 20:41:28 26455 end

Aug 26 14:54:44 8902 216.91.241.254 started
Aug 26 14:54:44 8902 eof waiting for command
Aug 26 14:54:44 8902 end

Aug 26 15:05:22 9030 216.91.241.254 started
Aug 26 15:05:22 9030 eof waiting for command
Aug 26 15:05:22 9030 end

Aug 26 22:44:51 14178 hostingtron.com started
Aug 26 22:44:51 14178 HELO mail.ultmail.com
Aug 26 22:44:52 14178 eof waiting for command
Aug 26 22:44:52 14178 end

Aug 27 02:03:09 16819 rdns-205-244-69-98.overlycute.com started
Aug 27 02:03:09 16819 HELO mail.adcoms.com
Aug 27 02:03:09 16819 eof waiting for command
Aug 27 02:03:09 16819 end

Aug 27 12:24:17 24617 rdns-205-244-69-98.overlycute.com started
Aug 27 12:24:17 24617 HELO mail.adcoms.com
Aug 27 12:24:18 24617 eof waiting for command
Aug 27 12:24:18 24617 end

Aug 28 08:57:36 8529 hostingtron.com started
Aug 28 08:57:36 8529 HELO mail.ultmail.com
Aug 28 08:57:36 8529 eof waiting for command
Aug 28 08:57:36 8529 end

Aug 28 12:27:31 11301 199.239.79.214 started
Aug 28 12:27:31 11301 HELO blast2.ads
Aug 28 12:27:32 11301 eof waiting for command
Aug 28 12:27:32 11301 end

Aug 28 22:12:54 17719 hostingtron.com started
Aug 28 22:12:56 17719 HELO mail.ultmail.com
Aug 28 22:13:00 17719 eof waiting for command
Aug 28 22:13:00 17719 end

Aug 29 13:12:35 27937 ip68-3-69-31.ph.ph.cox.net started
Aug 29 13:12:36 27937 HELO USMTPDOM
Aug 29 13:12:36 27937 eof waiting for command
Aug 29 13:12:36 27937 end

Aug 29 16:47:27 516 cm61-10-213-60.hkcable.com.hk started
Aug 29 16:47:28 516 end

Aug 29 18:15:29 1474 217-125-101-38.uc.nombres.ttd.es started
Aug 29 18:15:29 1474 eof waiting for command
Aug 29 18:15:29 1474 end

Aug 29 19:35:24 2306 195.9.2.38 started
Aug 29 19:35:26 2306 end

Aug 29 19:45:45 2409 sc1-24.217.170.124.charter-stl.com started
Aug 29 19:46:29 2409 end

Aug 29 20:31:09 2901 pc2.gl-asia.com started
Aug 29 20:31:13 2901 end

Aug 29 21:04:43 3248 217-127-131-248.uc.nombres.ttd.es started
Aug 29 21:04:46 3248 end

Aug 29 21:13:51 3345 CM-lcon4-171-104.cm.vtr.net started
Aug 29 21:13:53 3345 end

Aug 29 21:16:35 3377 userb008.dsl.pipex.com started
Aug 29 21:16:36 3377 end

Aug 29 21:47:11 3677 lsv-002.cynergen.net started

Aug 29 22:35:24 4314 203.129.212.37 started
Aug 29 22:35:29 4314 end

Aug 29 23:46:54 5067 61.11.57.16 started
Aug 29 23:46:59 5067 end

Aug 30 00:07:54 5300 211.114.62.130 started
Aug 30 00:08:00 5300 end

Aug 30 00:30:56 5539 host58-239.pool8019.interbusiness.it started
Aug 30 00:30:58 5539 end

Aug 30 01:22:13 6356 203.215.172.226 started
Aug 30 01:22:18 6356 end

Aug 30 01:56:21 6723 61.92.39.237 started
Aug 30 01:56:23 6723 end

Aug 30 02:04:25 6820 200-168-132-156.dsl.telesp.net.br started
Aug 30 02:04:27 6820 end

Aug 30 02:07:12 6849 195.229.228.35 started
Aug 30 02:07:21 6849 end

Aug 30 03:19:30 7607 timax.rdsnet.ro started
Aug 30 03:19:40 7607 end

Aug 30 03:56:45 7987 61.133.100.162 started
Aug 30 03:56:51 7987 end

Aug 30 04:08:09 8119 200.246.12.2 started
Aug 30 04:08:12 8119 end

Aug 30 04:25:56 8301 61.184.85.1 started
Aug 30 04:26:05 8301 end

Aug 30 04:41:04 8457 216.104.201.79 started
Aug 30 04:41:11 8457 end

Aug 30 04:50:46 8564 pa49.ilza.sdi.tpnet.pl started
Aug 30 04:50:52 8564 end

Aug 30 05:18:51 8869 212.45.15.57 started
Aug 30 05:18:53 8869 end

Aug 30 05:46:11 9145 194.126.61.17 started
Aug 30 05:46:18 9145 end

Aug 30 05:59:59 9317 207.249.73.90 started

Aug 30 06:38:37 9695 203.200.149.183 started
Aug 30 06:38:39 9695 end

Aug 30 06:45:38 9771 195.224.154.232 started
Aug 30 06:45:39 9771 end

Aug 30 06:51:03 9822 212.72.11.26 started
Aug 30 06:51:21 9822 end

Aug 30 07:38:29 10401 host217-35-130-233.in-addr.btopenworld.com started
Aug 30 07:38:30 10401 end

Aug 30 09:07:47 11376 servidor2.partidoliberal.org.co started
Aug 30 09:07:56 11376 end

Aug 30 09:17:00 11487 ip3e83ab10.speed.planet.nl started
Aug 30 09:17:03 11487 end

Aug 30 09:18:50 11498 tamqfl1-ar1-200-090.biz.dsl.gtei.net started
Aug 30 09:18:51 11498 end

Aug 30 09:23:07 11556 61.182.198.73 started
Aug 30 09:23:09 11556 end

Aug 30 09:26:27 11586 212.12.166.58 started
Aug 30 09:26:32 11586 end

Aug 30 09:30:03 11635 168-226-30-228.speedy.com.ar started
Aug 30 09:30:05 11635 end

Aug 30 09:38:59 11742 200-204-61-110.dsl.telesp.net.br started
Aug 30 09:39:10 11742 end

Aug 30 09:39:36 11747 staticip-38-179.salzburg-online.at started
Aug 30 09:39:38 11747 end

Aug 30 09:58:13 11951 211.99.99.2 started
Aug 30 09:58:15 11951 end

Aug 30 10:03:11 12061 212.141.85.198 started
Aug 30 10:03:13 12061 end

Aug 30 10:12:47 12155 d130074.upc-d.chello.nl started
Aug 30 10:12:49 12155 end





More information about the list mailing list