Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


[Dshield] Rumplestiltskin Attack
.

  • To: [EMAIL PROTECTED]
  • Subject: [Dshield] Rumplestiltskin Attack
  • From: "Tom Willett" <[EMAIL PROTECTED]>
  • Date: Tue, 12 Oct 2004 16:48:36 +0000
  • Reply-to: General DShield Discussion List <[EMAIL PROTECTED]>
  • Sender: [EMAIL PROTECTED]
.
 
I run a small web and mail server -- three domains about 15 mail users. 
Because I grew tired to the continual hack attempts on my server, a couple 
of weeks ago I started creating some scripts that scanned my web and mail 
logs for common attacks.  When I spotted these attacks I posted the ip of 
the attacker and their attack attempt to a public web page.

This made the email harvesters who query mail servers for email names mad 
apparently because the frequency of the attacks increased dramatically.  
This was starting to overload my mail server so I added a script to block 
the ips at the firewall.  Lest you think I am blocking legitimate attempts 
to transfer mail, the attacks are looking for email addresses with names 
like nppuvlbeyhud or vdkbhqbo, not even dictionary names.

To make the story short the Rumplestiltskin or Dictionary attack has been 
going for over a week.  The probes come about every 10 seconds -- I have 
collected over 2000 different ips of mail servers that are at least open 
relays, most probably have been compromised in other ways.

I have configured the mail server to withstand the attack so far by 
throttling back the number of connections per minute allowed per ip and the 
number of successive 'User unknown's allowed.

You can see my list of compromised mail servers here:

http://www.pigstye.net/error/dictatt.php

My list of webserver attacks here:

http://www.pigstye.net/error/lamer.php

My complete list of spam/virus and mailserver attacks here:

http://www.pigstye.net/error/email.php

You can find a little more information and longer descriptions and links to 
these pages here:

http://www.pigstye.net/

--
Tom Willett
tomw AT pigstye.net  (As if that little bit of obfustication will help).

_______________________________________________
DShield and the Internet Storm Center are sponsored by the SANS Institute.
To learn more about current SANS training, see http://www.sans.org .

_______________________________________________
send all posts to [EMAIL PROTECTED]
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.