Security Incidents mailing list archives
RE: Strange Windows logon attempts
From: Bill Proffitt <bill () luckyeagle com>
Date: Wed, 24 Sep 2003 12:14:33 -0700
What was the IP range if I may ask? Thanks, Bill
-----Original Message----- From: Clive Kingston [mailto:ckingston () cheviottrust com] Sent: Wednesday, September 24, 2003 2:11 AM To: incidents () securityfocus com Subject: RE: Strange Windows logon attempts Chris Similar attempts were recently made on our network, trying to come in via SMTP. I tracked the IP down to an elementary school network in China, who were responsible for an earlier hack attempt (fortunately also failed). I can't tell whether their network was the actual source or merely an open relay for someone else. I informed the registered supervisor but haven't received a reply (didn't really expect one). Must have got bored after seven minutes as the attempts stopped. What intrigued me was the rapid attempt rate, basically every three to four seconds. That has to be an automated hacking tool. It alternated attempts at Webmaster with \root. Maybe that's designed to exploit a Linux/Unix platform? Anyway Chris, they didn't get in and no further attempts have been made so far. I've blocked the IP range. Hope this helps some. Clive. -----Original Message----- From: chris emer [mailto:chris () hostmysite com] Sent: 23 September 2003 18:36 To: incidents () securityfocus com Subject: Re: Strange Windows logon attempts In-Reply-To: <005301c37885$80b45030$0101010a () nmi net> I have noticed on one of our servers that there were many attempts to login as "webmaster" in a very short time period. I checked 3 other servers and found the same thing. The time range for the attempted login was between the 19 Sept and the 23rd Sept. The login attempts were every 2 or 3 seconds and they never got in. They showed up in the event log with a Event ID of 100 and a source SMTPSVC. I am keeping a close eye on this, any additional help or suggestions would be great. Chris The information in this e-mail and any attachments is confidential and may be subject to legal professional privilege. It is intended solely for the attention and use of the named addressee(s). If you are not the intended recipient, please notify the sender immediately. Unless you are the intended recipient or his/her representative you are not authorised to, and must not, read, copy, distribute, use or retain this message or any part of it. As the integrity of e-mail across the Internet cannot be guaranteed messages and documents sent via this medium are potentially at risk. You should perform your own virus checks before opening any attachments -------------------------------------------------------------- ------------- -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Strange Windows logon attempts chris emer (Sep 23)
- <Possible follow-ups>
- RE: Strange Windows logon attempts David Harper (Sep 24)
- RE: Strange Windows logon attempts Clive Kingston (Sep 24)
- RE: Strange Windows logon attempts Bill Proffitt (Sep 24)