[CentOS] A new attack

Fri Nov 10 16:54:09 UTC 2006
Aleksandar Milivojevic <alex at milivojevic.org>

Quoting John Hinton <webmaster at ew3d.com>:

> David Ellsmore wrote:
>> John Hinton wrote:
>>> Log report is reporting a lot of these lately.. following is just   
>>> a short snippet from the beginning on one server.
>>>
>>> WARNING!!!!
>>> Possible Attack:
>>>  Attempt from 104.29.broadband2.iol.cz [83.208.29.104] with:
>>>     command=HELO/EHLO, count=3 : 1 Time(s)
>>>  Attempt from 106.7.broadband7.iol.cz [88.102.7.106] with:
>>>     command=HELO/EHLO, count=3 : 1 Time(s)
>>>  Attempt from 106.74.broadband5.iol.cz [88.100.74.106] with:
>>>     command=HELO/EHLO, count=3 : 1 Time(s)
>>>  Attempt from 126.239.broadband7.iol.cz [88.102.239.126] with:
>>>     command=HELO/EHLO, count=3 : 1 Time(s)
>>>  Attempt from 144.Red-80-34-151.staticIP.rima-tde.net [80.34.151.144] with:
>>>     command=HELO/EHLO, count=3 : 1 Time(s)
>>>
>>> Could anyone expand on what these folks are actually doing? And if  
>>>  I should be concerned?
>>>
>> To me it looks like something/someone looking for valid email   
>> addresses - perhaps to use in an effort to defeat spam filters.   
>> It'd be interesting to see what sort of conversation takes place   
>> between your server and the attacker, and how close together time   
>> wise these are occuring.
>>
>> I notice the first 5 warnings are from the Czech Republic, and the   
>> last one is from Spain. Are you getting these from world wide   
>> addresses or just these two countries?
> I just snipped out the first five so as not to clog the list. They are
> mostly coming from the baltic region of the world (what the heck
> country is a .il tld?)... a lot from that one. But also a fair
> representation from the largest spamming network in the world.. verizon
> who doesn't care one bit

The .il TLD is Israel.

> Almost in every case, they are making three attempts.. but I have
> sendmail set to pause receiving from a network after 2 bad attempts, so
> maybe this would be worse without that entry? I don't really know the
> flow of attempts like this on my system.

Just ignore them.  If you were to increase logging level, you'd see  
that first two attempts were either empty or using URL-like argument  
precded by a bar (attempts EHLO, than HELO).  After that it reattempts  
with real host name, but by that time the count gets to three and  
Sendmail logs the warning.

-- 
NOTICE: If you are not intended recipient, you are hereby notified
that by reading this message you agreed not to disturb frogs during
mating season.  For more info, visit http://www.8-P.ca/