RE: Strange Windows logon attempts

[Clive Kingston <ckingston () cheviottrust com>]

Chris

Similar attempts were recently made on our network, trying to come in via
SMTP. I tracked the IP down to an elementary school network in China, who
were responsible for an earlier hack attempt (fortunately also failed). I
can't tell whether their network was the actual source or merely an open
relay for someone else. I informed the registered supervisor but haven't
received a reply (didn't really expect one). Must have got bored after seven
minutes as the attempts stopped.

What intrigued me was the rapid  attempt rate, basically every three to four
seconds. That has to be an automated hacking tool. It alternated attempts at
Webmaster with \root. Maybe that's designed to exploit a Linux/Unix
platform?

Anyway Chris, they didn't get in and no further attempts have been made so
far. I've blocked the IP range.


Hope this helps some.

Clive.
-----Original Message-----
From: chris emer [mailto:chris () hostmysite com]
Sent: 23 September 2003 18:36
To: incidents () securityfocus com
Subject: Re: Strange Windows logon attempts


In-Reply-To: <005301c37885$80b45030$0101010a () nmi net>

I have noticed on one of our servers that there were many attempts to login
as "webmaster" in a very short time period. I checked 3 other servers and
found the same thing. The time range for the attempted login was between the
19 Sept and the 23rd Sept. The login attempts were every 2 or 3 seconds and
they never got in. They showed up in the event log with a Event ID of 100
and a source SMTPSVC.



I am keeping a close eye on this, any additional help or suggestions would
be great.



Chris






The information in this e-mail and any attachments is confidential and may
be subject to legal professional privilege.  It is intended solely for the
attention and use of the named addressee(s). If you are not the intended
recipient, please notify the sender immediately.  Unless you are the
intended recipient or his/her representative you are not authorised to, and
must not, read, copy, distribute, use or retain this message or any part of
it. As the integrity of e-mail across the Internet cannot be guaranteed
messages and documents sent via this medium are potentially at risk. You
should perform your own virus checks before opening any attachments

---------------------------------------------------------------------------
----------------------------------------------------------------------------