I've had quite a few of these attempts ... clearly someone is trying out every Windows combination that he/she can think of ... root, admin, webmaster etc etc ... and none of them work.
I just gloat and give thanks for my Mac ... and then make sure that I have the entire IP block on my blacklist. I think I have large chunks of Asian IP numbers in my blacklist.
Don't waste time trying to complain to [EMAIL PROTECTED] ... been there, done that and found it's useless.
DCK
Your words of wisdom on 10/15/03:
--------------------------------------------------------_741197190_- Date: Tue, 14 Oct 2003 23:08:18 -0400 Subject: Re: WARNING: A new attack to watch for From: "Michael J. Stango" <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit
I've gotten a few attempts in recent weeks, most recently on October 3rd. My log is usually about 10-20K per day, but October 3rd's was 60K.
I found this in the log:
---------- 17:15:31 1 SMTP-207([218.70.9.3]) SPAM? Host is in the Blacklist 17:15:32 3 SMTP-207(dfasfd-vojmlg22) Failed to verify. Real address is [218.70.9.3:2741] 17:15:36 0 SYSTEM Account {webmaster} Resources open failed. Error Code=-43 17:15:36 1 SMTP {webmaster} AUTH failed: password(webmaster) is wrong. Connection from [218.70.9.3:2741] 17:15:41 0 SYSTEM Account {webmaster} Resources open failed. Error Code=-43 17:15:41 1 SMTP {webmaster} AUTH failed: password(webmaster12) is wrong. Connection from [218.70.9.3:2741] 17:15:43 0 SYSTEM Account {webmaster} Resources open failed. Error Code=-43 17:15:43 1 SMTP {webmaster} AUTH failed: password(webmaster123) is wrong. Connection from [218.70.9.3:2741] 17:15:45 0 SYSTEM Account {webmaster} Resources open failed. Error Code=-43 ----------
And so on, until it finally stopped at 17:23:57. They try many basic account names, and many fairly simple passwords for each.
Every time I've seen this crap in my logs, it has come from an IP in China, so there's probably not much point in complaining to the ISP's abuse@ address. Starting with the October 3rd penetration attempt, I now create a rule in IPNetSentry that denies all traffic from the attacking IP's enclosing netblock.
~MJS
--
"I think there is a world market for maybe five computers." --Thomas Watson, chairman of IBM, 1943
############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
