[CentOS] dictonary attacks

Thu Nov 11 17:51:13 UTC 2010
PA <razor at meganet.net>

John,

 

I figured that the user's computer was compromised and the user/password was
obtained that way but then again I'm baffled as to why they would start a
dictionary attack on the server if they already have the user/pass combo.

I was just worried that something else happened here that I was unaware of. 

 

From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf
Of John Hinton
Sent: Wednesday, November 10, 2010 6:27 PM
To: CentOS mailing list
Subject: Re: [CentOS] dictonary attacks

 

On 11/10/2010 6:10 PM, PA wrote: 

Hi hoping someone can help me a little with this one.

 

I have 2 mail servers, the incoming mail server runs dovecot and the
outgoing mail server runs postfix with sasl.

 

Lately I noticed a lot of spammers are running dictionary attacks on my
incoming server and then using that user/password for sasl on the outgoing
server.

The weird thing is I never see on the logs the guessed username/password. I
always see the ones they can't guess.

 

For example:

Looking at the logs  I see the following dictionary attack from
94.242.206.37

 

Nov 10 03:04:38 pop dovecot: pop3-login: Disconnected: rip=94.242.206.37,
lip=209.213.66.10

Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH     1
PLAIN   service=POP3    lip=209.213.66.10       rip=94.242.206.37
resp=<hidden>

Nov 10 03:04:38 pop dovecot: auth(default): shadow(aarhus,94.242.206.37):
lookup

Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH     1
PLAIN   service=POP3    lip=209.213.66.10       rip=94.242.206.37
resp=<hidden>

Nov 10 03:04:38 pop dovecot: auth(default): shadow(abaft,94.242.206.37):
lookup

Nov 10 03:04:38 pop dovecot: auth(default): shadow(abaft,94.242.206.37):
unknown user

Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH     1
PLAIN   service=POP3    lip=209.213.66.10       rip=94.242.206.37
resp=<hidden>

Nov 10 03:04:38 pop dovecot: auth(default): shadow(aarhus,94.242.206.37):
unknown user

Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH     1
PLAIN   service=POP3    lip=209.213.66.10       rip=94.242.206.37
resp=<hidden>

Nov 10 03:04:38 pop dovecot: auth(default): shadow(aaron,94.242.206.37):
lookup

Nov 10 03:04:38 pop dovecot: auth(default): shadow(aaron,94.242.206.37):
unknown user

Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH     1
PLAIN   service=POP3    lip=209.213.66.10       rip=94.242.206.37
resp=<hidden>

Nov 10 03:04:38 pop dovecot: auth(default): shadow(ababa,94.242.206.37):
lookup

..... And so on..

 

Then that ip gets banned by fail2ban

 

[root at pop ~]# grep 94.242.206.37 /var/log/fail2ban.log

2010-11-10 03:04:42,416 fail2ban.actions: WARNING [dovecot] Ban
94.242.206.37

 

 

However on my outgoing mail server that ip is already sending out all sorts
of spam with the sasl username of Paramus. 

This username Paramus never shows up on the dovecot dictionary attack log,
as a matter of fact the user Paramus is nowhere to be found on the dovecot
log at all and I have logs going back months. 

 

/var/log/maillog:Nov 10 02:46:16 mrelay3 postfix/smtpd[27776]: 3B64928015:
client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus

/var/log/maillog:Nov 10 02:47:54 mrelay3 postfix/smtpd[27776]: 247AB28016:
client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus

/var/log/maillog:Nov 10 02:48:00 mrelay3 postfix/smtpd[27785]: 87DE128016:
client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus

/var/log/maillog:Nov 10 02:56:00 mrelay3 postfix/smtpd[27792]: 9728628015:
client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus

/var/log/maillog:Nov 10 03:05:38 mrelay3 postfix/smtpd[27808]: D529F28015:
client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus

/var/log/maillog:Nov 10 03:06:00 mrelay3 postfix/smtpd[27808]: DDF7C2801B:
client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=Paramus

 

 

Does anyone have any idea what could of happened here. I mean if the
user/passwd was already harvested by  94.242.206.37  why would they bother
to start another dict. attack. 

 

I'm just not sure how they guess the username/password as its not on any
logs that goes back months and I don't have a dovecot fail record for that
user on the logs. This is the case all the time for me and it happens with
other ips.

 

Any help would be appreciated.

 

paul

 

Yeah... isn't this fun? I'm using Fail2Ban for the same reasons.

Off the top of my head, perhaps the user paramus, assuming they actually use
your server for email, may have a trojan on their comp recording keystrokes
and sending them to the bad boy. Many of the latest virii are very good at
this, getting FTP logins as well to help spread their malwares onto web
pages.

I believe most of these are totally automated processes, with just a bit of
blackhat input. As they had your server address anyway, I'd bet it just made
it onto the bot list to do dictionary attacks as well. Sort of dumb when you
think about it, as the dictionary attack would get them firewalled, killing
off what is successfully running. But don't tell the spammer that. ;)

Also, it doesn't hurt to report these addresses to the network admin. I have
been successful a number of times in getting stuff shut down. This seems to
be a legit provider. They might actually respond. If we all do that, our
numbers can make it harder on the spammers.



-- 
John Hinton
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20101111/094dd89e/attachment-0005.html>