RE: Strange Windows logon attempts

[Bill Proffitt <bill () luckyeagle com>]

What was the IP range if I may ask?

Thanks,
Bill

> -----Original Message-----
> From: Clive Kingston [mailto:ckingston () cheviottrust com]
> Sent: Wednesday, September 24, 2003 2:11 AM
> To: incidents () securityfocus com
> Subject: RE: Strange Windows logon attempts
>
>
> Chris
>
> Similar attempts were recently made on our network, trying to 
> come in via
> SMTP. I tracked the IP down to an elementary school network 
> in China, who
> were responsible for an earlier hack attempt (fortunately 
> also failed). I
> can't tell whether their network was the actual source or 
> merely an open
> relay for someone else. I informed the registered supervisor 
> but haven't
> received a reply (didn't really expect one). Must have got 
> bored after seven
> minutes as the attempts stopped.
>
> What intrigued me was the rapid  attempt rate, basically 
> every three to four
> seconds. That has to be an automated hacking tool. It 
> alternated attempts at
> Webmaster with \root. Maybe that's designed to exploit a Linux/Unix
> platform?
>
> Anyway Chris, they didn't get in and no further attempts have 
> been made so
> far. I've blocked the IP range.
>
>
> Hope this helps some.
>
> Clive.
> -----Original Message-----
> From: chris emer [mailto:chris () hostmysite com]
> Sent: 23 September 2003 18:36
> To: incidents () securityfocus com
> Subject: Re: Strange Windows logon attempts
>
>
> In-Reply-To: <005301c37885$80b45030$0101010a () nmi net>
>
> I have noticed on one of our servers that there were many 
> attempts to login
> as "webmaster" in a very short time period. I checked 3 other 
> servers and
> found the same thing. The time range for the attempted login 
> was between the
> 19 Sept and the 23rd Sept. The login attempts were every 2 or 
> 3 seconds and
> they never got in. They showed up in the event log with a 
> Event ID of 100
> and a source SMTPSVC.
>
>
>
> I am keeping a close eye on this, any additional help or 
> suggestions would
> be great.
>
>
>
> Chris
>
>
>
>
>
>
> The information in this e-mail and any attachments is 
> confidential and may
> be subject to legal professional privilege.  It is intended 
> solely for the
> attention and use of the named addressee(s). If you are not 
> the intended
> recipient, please notify the sender immediately.  Unless you are the
> intended recipient or his/her representative you are not 
> authorised to, and
> must not, read, copy, distribute, use or retain this message 
> or any part of
> it. As the integrity of e-mail across the Internet cannot be 
> guaranteed
> messages and documents sent via this medium are potentially 
> at risk. You
> should perform your own virus checks before opening any attachments
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------