[CentOS] A new attack
Aleksandar Milivojevic
alex at milivojevic.org
Fri Nov 10 16:54:09 UTC 2006
Quoting John Hinton <webmaster at ew3d.com>:
> David Ellsmore wrote:
>> John Hinton wrote:
>>> Log report is reporting a lot of these lately.. following is just
>>> a short snippet from the beginning on one server.
>>>
>>> WARNING!!!!
>>> Possible Attack:
>>> Attempt from 104.29.broadband2.iol.cz [83.208.29.104] with:
>>> command=HELO/EHLO, count=3 : 1 Time(s)
>>> Attempt from 106.7.broadband7.iol.cz [88.102.7.106] with:
>>> command=HELO/EHLO, count=3 : 1 Time(s)
>>> Attempt from 106.74.broadband5.iol.cz [88.100.74.106] with:
>>> command=HELO/EHLO, count=3 : 1 Time(s)
>>> Attempt from 126.239.broadband7.iol.cz [88.102.239.126] with:
>>> command=HELO/EHLO, count=3 : 1 Time(s)
>>> Attempt from 144.Red-80-34-151.staticIP.rima-tde.net [80.34.151.144] with:
>>> command=HELO/EHLO, count=3 : 1 Time(s)
>>>
>>> Could anyone expand on what these folks are actually doing? And if
>>> I should be concerned?
>>>
>> To me it looks like something/someone looking for valid email
>> addresses - perhaps to use in an effort to defeat spam filters.
>> It'd be interesting to see what sort of conversation takes place
>> between your server and the attacker, and how close together time
>> wise these are occuring.
>>
>> I notice the first 5 warnings are from the Czech Republic, and the
>> last one is from Spain. Are you getting these from world wide
>> addresses or just these two countries?
> I just snipped out the first five so as not to clog the list. They are
> mostly coming from the baltic region of the world (what the heck
> country is a .il tld?)... a lot from that one. But also a fair
> representation from the largest spamming network in the world.. verizon
> who doesn't care one bit
The .il TLD is Israel.
> Almost in every case, they are making three attempts.. but I have
> sendmail set to pause receiving from a network after 2 bad attempts, so
> maybe this would be worse without that entry? I don't really know the
> flow of attempts like this on my system.
Just ignore them. If you were to increase logging level, you'd see
that first two attempts were either empty or using URL-like argument
precded by a bar (attempts EHLO, than HELO). After that it reattempts
with real host name, but by that time the count gets to three and
Sendmail logs the warning.
--
NOTICE: If you are not intended recipient, you are hereby notified
that by reading this message you agreed not to disturb frogs during
mating season. For more info, visit http://www.8-P.ca/
More information about the CentOS
mailing list