Mailing List SIMS@mail.stalker.com Message #13843
From: Bill Cole <listbill@scconsult.com>
Subject: WARNING: A new attack to watch for
Date: Tue, 14 Oct 2003 21:03:30 -0400
To: SIMS Discussions <SIMS@mail.stalker.com>
One attack that has become common against Exchange servers is an AUTH password crack. This is currently hitting Exchange mostly because for some reason Windows admins seem to almost universally leave default accounts with default passwords in place, but it is a simple brute force attack that could be used on ANY mail server supporting AUTH for relay permission. The lines to look for in the logs are:

20:52:27 1 SMTP {username} AUTH failed: password(badpassword) is wrong. Connection from [10.1.1.1:50482]
20:52:27 4 SMTP-094([10.1.1.1]) Sending 535 authentication failed\r\n

If Stalker is still willing to enhance SIMS, a good response would be to approach AUTH failures in a similar way as bad/spamtrap RCPT failures are now handle: after a few from the same IP in a short time, start playing games with it. The server could even fake success on the 4th bad try then 5xx every command.

For now, it is probably a good idea to start looking for those telltale signs in your logs.

--
Bill Cole
bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster