[Dshield] Dictionary Attack Update

Nels Bels nelsbels at cableone.net
Thu Jan 1 00:22:42 GMT 2004


This was similar to a post that I and another user had commented about
that happened about 2 weeks ago.   The difference in my case was the
'john@' was a 'james@'. I am also not sure if the system that sent it
was a compromised machine or the 29 target idea.

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of Jon R. Kibler
Sent: Wednesday, December 31, 2003 5:51 PM
To: list at dshield.org
Subject: [Dshield] Dictionary Attack Update


Well, Happy New Year (or it is about to be) Everyone!

An update on the Dictionary Attacks.
   1) These appear to be VERY wide spread. We can document that
innumerable domains have been effected by these attacks.
   2) The attack always claims to be 'john@' some random domain --
although it appears that there is a very limited set (~100?) of domain
names used.
   3) The attack is always against 29 targets.
   4) The attacker forges the EHLO to match the MAIL From domain name.
   5) The attacks originate from compromised systems.
   6) The compromised systems are always running with 3 open
high-numbered ports.
   7) One of these ports always claims to be a web server but does not
appear to honor a lot of http/1.0 commands.
   8) Trying to connect to the web site using a standard browser using
http://IP:PORT/ returns a null page. Apparently, it only responds to a
specific page request. (ftp://... never responds.)


If anyone has any idea what software may be behind this mess, I would
appreciate a few ideas...

TIA and Happy New Year!

Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.


-- 
Incoming mail is certified Virus Free.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.209 / Virus Database: 261.5.5 - Release Date: 12/30/2003
 
  

-- 
Outgoing mail is certified Virus Free.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.209 / Virus Database: 261.5.5 - Release Date: 12/30/2003
 




More information about the list mailing list