[Dshield] Dictionary Attack Update

Barton L. Phillips admin at bartonphillips.com
Thu Jan 1 17:25:17 GMT 2004


I have seen these. All from john@ all 29 targets. I'm not logging the full conversation so don't know about the EHLO stuff. If you are interested I can 1) send you my maillog, and 2) change my logging to include the full conversations. Let me know.

***
Jon Wrote: 
Well, Happy New Year (or it is about to be) Everyone!

An update on the Dictionary Attacks.
   1) These appear to be VERY wide spread. We can document that innumerable domains have been effected by these attacks.
   2) The attack always claims to be 'john@' some random domain -- although it appears that there is a very limited set (~100?) of domain names used.
   3) The attack is always against 29 targets.
   4) The attacker forges the EHLO to match the MAIL From domain name.
   5) The attacks originate from compromised systems.
   6) The compromised systems are always running with 3 open high-numbered ports.
   7) One of these ports always claims to be a web server but does not appear to honor a lot of http/1.0 commands.
   8) Trying to connect to the web site using a standard browser using http://IP:PORT/ returns a null page. Apparently, it only responds to a specific page request. (ftp://... never responds.)


If anyone has any idea what software may be behind this mess, I would appreciate a few ideas...

TIA and Happy New Year!

Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214


-- 
----------------
Barton L. Phillips
Applied Technology Resources, Inc.
Tel: (818)652-9850
Web: http://www.applitec.com





More information about the list mailing list