Re: possible SMTP attack

From: Alexander Dalloz (alexander.dalloz_at_uni-bielefeld.de)
Date: 07/31/04

Next message: Pedro Fernandes Macedo: "Re: virus/worms killing a network..."

Previous message: Robert G. (Doc) Savage: "Re: A backup problem"
In reply to: Olga: "possible SMTP attack"
Next in thread: Pedro Fernandes Macedo: "Re: possible SMTP attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Sat, 31 Jul 2004 20:52:07 +0200
To: For users of Fedora Core releases <fedora-list@redhat.com>

Am Sa, den 31.07.2004 schrieb Olga um 20:26:

> I got this message in the logwatch sent to root:

> Client quit before communicating:
> 222.183.141.253 : 1 Time(s)
>
> **Unmatched Entries**
> [222.183.141.253]: possible SMTP attack: command=AUTH, count=6: 1 Time(s)

> What does it mean? How can I protect my server against SMTP attacks?

> Olga

It means someone from host 222.183.141.253 - which not has to be the
starting point but a transfer point of the "attack", means a hacked host
from which the hacker acts hiding his own personal station - tried to
SMTP AUTH against your Sendmail and failed. He did 6 tries. It might be
harmless if it was one of your users who forgot his username/password
combination. Grep your maillog to see more details.

What to do against it? Not much, unfortunately. Be sure your users only
use secure passwords, not trivial dictionary things. If you encounter
such attacks more often you might setup an automatic log observing tool
like swatch which instantly warns you i.e. by mail if someone starts
trying to hack. Or you automatically block the attacking host using
iptables. This could be done too in combination with a tool like swatch
or by an own script run by cron every few minutes.

Alexander

-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.6-1.435.2.3.ad.umlsmp 
Serendipity 20:44:35 up 2:09, 8 users, 0.32, 0.31, 0.32

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list

application/pgp-signature attachment: Dies ist ein digital signierter Nachrichtenteil

Next message: Pedro Fernandes Macedo: "Re: virus/worms killing a network..."

Previous message: Robert G. (Doc) Savage: "Re: A backup problem"
In reply to: Olga: "possible SMTP attack"
Next in thread: Pedro Fernandes Macedo: "Re: possible SMTP attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

[NEWS] IGMP Denial of Service Vulnerability
... We consider different scenarios in which such an attack can be launched. ... Host H1 and H2 are connected to a router R using a hub. ... soliciting for membership reports from the hosts in the network it is ... now R doesn't receive any membership reports for the group ...
(Securiteam)
Re: Target based IDS review and discussion in Information Security
... > 1) A URL attack is seen by the sensor affecting Windows IIS. ... > each and every step we took to investigate the attack (from IDS ... > impacted host to manually verify if the attack was successful or not. ... Automated forensics are useful and a nice step forward but if the ...
(Focus-IDS)
The Art of Unspoofing
... stack allows anyone to send spoofed packets to a target host, ... the ability of its administrator to determine the origin of the attack. ... then can it inject the malicious packets. ... host of the attack or their nameserver. ...
(Focus-IDS)
The Art of Unspoofing
... stack allows anyone to send spoofed packets to a target host, ... the ability of its administrator to determine the origin of the attack. ... then can it inject the malicious packets. ... host of the attack or their nameserver. ...
(Bugtraq)
Re: MiM Simultaneous close attack
... Subject: MiM Simultaneous close attack ... So the packets(dst mac is gg:gg) will goto port3 correctly.(If the same mac presents in two ports,the packets ... >> 2 TCP packets per connection. ... >> to source host and destination host of an active ...
(Vuln-Dev)