[Dshield] Dictionary Attack Update
lists at webcrunchers.com
Thu Jan 1 07:12:12 GMT 2004
On Dec 31, 2003, at 3:50 PM, Jon R. Kibler wrote:
> An update on the Dictionary Attacks.
> 1) These appear to be VERY wide spread. We can document that
> innumerable domains have been effected by these attacks.
> 2) The attack always claims to be 'john@' some random domain --
> although it appears that there is a very limited set (~100?) of domain
> names used.
> 3) The attack is always against 29 targets.
> 4) The attacker forges the EHLO to match the MAIL From domain name.
> 5) The attacks originate from compromised systems.
> 6) The compromised systems are always running with 3 open
> high-numbered ports.
> 7) One of these ports always claims to be a web server but does not
> appear to honor a lot of http/1.0 commands.
> 8) Trying to connect to the web site using a standard browser using
> http://IP:PORT/ returns a null page. Apparently, it only responds to a
> specific page request. (ftp://... never responds.)
> If anyone has any idea what software may be behind this mess, I would
> appreciate a few ideas...
good job... One thing I noticed is I'm getting new virii - most come
as 104k attachments. Most come from usernames
as smtprobot at yahoo, or <something>robot@<fake_domain>
I'm not getting that many, around 4 - 6 per day, but they are
increasing in numbers as time goes by.
This Dict attack is prolly just the result of more hostile code being
spread by these new virii.
These Dict attacks used to completely take down my web server,
luckily it's now un-molested by these attacks,
because they are just blocked before they even get close to the servers.
these attacks come from a very large list of IP addresses, mostly
originating from DSL and Cable modem users, which just backs up your
suspicion these are coming from infected hosts.
I suspect a number of IRC servers are used to control these, and if I
can match up an IP address, I can possibly find out where the control
is coming from.
More information about the list