hacker.org

The Hacker's Home
https://www.hacker.org/f3/

Hack patern noticed, please advise

https://www.hacker.org/f3/viewtopic.php?t=1124

Page 1 of 1

Hack patern noticed, please advise

Posted: Tue Dec 23, 2008 4:08 pm
by insane_ai
I have been logging unsuccessful attempts to gain access to my network over the last few months. Upon review of the source I.P. addresses, I noticed a pattern that these attempts followed persistent SMTP connections in my mail server from the same I.P. block.

Although different I.P. blocks are being used from one set of attacks to another, the same usernames are repeated in all attemps. ahola, aholasvr, manager, admin, and administrator.

Port usage is not consistent. Each account will attempt to use the same port up to three times within an attack before changing port and or username.

The attacks occur in batches of 11 to 14 attempts within 1 minute then repeat up to three times roughly every hour for up to three hours.

Does any one know if this is a bot or just poorly programmed mail servers?

Re: Hack patern noticed, please advise

Posted: Tue Dec 23, 2008 10:12 pm
by BerryTheWest
insane_ai wrote:I have been logging unsuccessful attempts to gain access to my network over the last few months. Upon review of the source I.P. addresses, I noticed a pattern that these attempts followed persistent SMTP connections in my mail server from the same I.P. block.

Although different I.P. blocks are being used from one set of attacks to another, the same usernames are repeated in all attemps. ahola, aholasvr, manager, admin, and administrator.

Port usage is not consistent. Each account will attempt to use the same port up to three times within an attack before changing port and or username.

The attacks occur in batches of 11 to 14 attempts within 1 minute then repeat up to three times roughly every hour for up to three hours.

Does any one know if this is a bot or just poorly programmed mail servers?
Well if you try to IP block them, it basically ineffective. Why? They can change it by changing the MAC address, call the ISP, or use a proxy.

Posted: Wed Dec 24, 2008 2:32 am
by PaRaDoX
i would think its a bot, no one i know has that kind of patience to attack so often and ineffectively. Good job with security btw ^-^

try an ip lookup? find the address and if its in your country report it to the police / their isp if thats all you can get. if they live near you go kick the guy's ass :P
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited