[Dshield] Dictionary Attack Update

Jon R. Kibler Jon.Kibler at aset.com
Wed Dec 31 23:50:58 GMT 2003


Well, Happy New Year (or it is about to be) Everyone!

An update on the Dictionary Attacks.
   1) These appear to be VERY wide spread. We can document that innumerable domains have been effected by these attacks.
   2) The attack always claims to be 'john@' some random domain -- although it appears that there is a very limited set (~100?) of domain names used.
   3) The attack is always against 29 targets.
   4) The attacker forges the EHLO to match the MAIL From domain name.
   5) The attacks originate from compromised systems.
   6) The compromised systems are always running with 3 open high-numbered ports.
   7) One of these ports always claims to be a web server but does not appear to honor a lot of http/1.0 commands.
   8) Trying to connect to the web site using a standard browser using http://IP:PORT/ returns a null page. Apparently, it only responds to a specific page request. (ftp://... never responds.)


If anyone has any idea what software may be behind this mess, I would appreciate a few ideas...

TIA and Happy New Year!

Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list