<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Arthur Sherman wrote:
<blockquote cite="mid:0JI900A9U2BP4D60 (at mark) mxout5.netvision.net.il"
type="cite">
<title>Message</title>
<meta http-equiv="Content-Type" content="text/html; ">
<meta content="MSHTML 6.00.2900.3059" name="GENERATOR">
<style>@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@page Section1 {size: 612.0pt 792.0pt; margin: 72.0pt 72.0pt 72.0pt 72.0pt; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99
}
SPAN.EmailStyle18 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div><span class="468502718-18052007"><font color="#0000ff"
face="Arial" size="2">i'd run 'netstat' with appropriate switches to
check against new connections.</font></span></div>
<div><span class="468502718-18052007"><font color="#0000ff"
face="Arial" size="2">it does seem to be an attack...</font></span></div>
<div><span class="468502718-18052007"><font color="#0000ff"
face="Arial" size="2">can you see the source IP of this? i wonder if
it comes from inside...</font></span></div>
<div><span class="468502718-18052007"></span> </div>
<div><span class="468502718-18052007"><font color="#0000ff"
face="Arial" size="2">do you have any kind of web app/mail firewall in
place? ISP or dedicated, or software?</font></span></div>
<div><span class="468502718-18052007"><font color="#0000ff"
face="Arial" size="2">if you do, do you have anti DDoS and such
protection in place?</font></span></div>
<div><span class="468502718-18052007"><font color="#0000ff"
face="Arial" size="2">i wouldn't count on BQ to hold its ground
against this kind of attack all by itself.</font></span></div>
<div><span class="468502718-18052007"><font color="#0000ff"
face="Arial" size="2">and this is 99.99% of attacks coming to my
server these days.</font></span></div>
<div> </div>
<!-- Converted from text/plain format --><span
class="468502718-18052007"></span><font face="Arial"><font
color="#0000ff"><font size="2">HTH<span class="468502718-18052007"></span></font></font></font><br>
<br>
<p><font size="2">Best,<br>
<br>
--<br>
Arthur</font> </p>
<div> </div>
<br>
<blockquote dir="ltr"
style="border-left: 2px solid rgb(0, 0, 255); padding-left: 5px; margin-left: 5px; margin-right: 0px;">
<div class="OutlookMessageHeader" dir="ltr" align="left"
lang="en-us">
<hr tabindex="-1"> <font face="Tahoma" size="2"><b>From:</b> TUNC
ERESEN [<a class="moz-txt-link-freetext" href="mailto:tunc (at mark) eresen.com">mailto:tunc (at mark) eresen.com</a>] <br>
<b>Sent:</b> Friday, May 18, 2007 8:56 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:coba-e (at mark) bluequartz.org">coba-e (at mark) bluequartz.org</a><br>
<b>Subject:</b> [coba-e:09892] Is this a attack! "check pass; user
unknown"<br>
</font><br>
</div>
<div class="Section1">
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';">Hi
all <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';">May
18 18:42:30 ns3 PAM_pwdb[11102]: check pass; user unknown<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';">May
18 18:42:30 ns3 PAM_pwdb[11081]: check pass; user unknown<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';">May
18 18:42:30 ns3 PAM_pwdb[11082]: check pass; user unknown<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';">May
18 18:42:30 ns3 PAM_pwdb[11100]: check pass; user unknown<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';">May
18 18:42:30 ns3 PAM_pwdb[11120]: check pass; user unknown<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';">May
18 18:42:30 ns3 PAM_pwdb[11121]: check pass; user unknown<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';">May
18 18:42:30 ns3 PAM_pwdb[11122]: check pass; user unknown<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';">May
18 18:42:30 ns3 PAM_pwdb[11103]: check pass; user unknown<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';">May
18 18:42:30 ns3 PAM_pwdb[11105]: check pass; user unknown<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';">May
18 18:42:30 ns3 PAM_pwdb[11101]: check pass; user unknown<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';">May
18 18:42:30 ns3 PAM_pwdb[11104]: check pass; user unknown<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';">May
18 18:42:30 ns3 PAM_pwdb[11124]: check pass; user unknown<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';">May
18 18:42:30 ns3 PAM_pwdb[11106]: check pass; user unknown<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';">May
18 18:42:30 ns3 PAM_pwdb[11126]: check pass; user unknown<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';">Hot
of the log….<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';">And
What to do about it ? Girrr again…<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';">I
am getting 10000’s of these how can I kill or stop it… Or is it in a
loop.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';">Regards
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; color: rgb(31, 73, 125); font-family: 'Calibri','sans-serif';">Tunc
<o:p></o:p></span></p>
</div>
</blockquote>
<br>
-- <br>
This message has been scanned for viruses and
<br>
dangerous content by
<a moz-do-not-send="true" href="http://www.mailscanner.info/"></b><b>MailScanner</a>,
and is
<br>
believed to be clean.
</blockquote>
<font face="Calibri">I saw these lines on my box after dovecot went
down from a similar dictionary attack. These lines continued well
after the attack stopped. I believe the lines were from users pop
accounts failing during athentication. I repaired pwdb and restarted
dovecot and all went well. I believe you can find the offending ip in
secure or messages log and add it to your hostsdeny file. <br>
<br>
cheers. <br>
<br>
Ethan<br>
</font><br>
<div class="moz-signature">-- <br>
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="ProgId" content="Word.Document">
<meta name="Generator" content="Microsoft Word 11">
<meta name="Originator" content="Microsoft Word 11">
<link rel="File-List" href="Signatrue_files/filelist.xml">
<title>Ethan V</title>
<o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PostalCode">
<o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="State"><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="City">
<o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="place"><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="Street">
<o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="address"><!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Author>Ethan V Mateja</o:Author>
<o:LastAuthor>Ethan V Mateja</o:LastAuthor>
<o:Revision>2</o:Revision>
<o:TotalTime>5</o:TotalTime>
<o:Created>2007-04-25T16:10:00Z</o:Created>
<o:LastSaved>2007-04-25T16:10:00Z</o:LastSaved>
<o:Pages>1</o:Pages>
<o:Words>34</o:Words>
<o:Characters>200</o:Characters>
<o:Company>Packetforward</o:Company>
<o:Lines>1</o:Lines>
<o:Paragraphs>1</o:Paragraphs>
<o:CharactersWithSpaces>233</o:CharactersWithSpaces>
<o:Version>11.8122</o:Version>
</o:DocumentProperties>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:SpellingState>Clean</w:SpellingState>
<w:GrammarState>Clean</w:GrammarState>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:Compatibility>
<
w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" LatentStyleCount="156">
</w:LatentStyles>
</xml><![endif]--><!--[if !mso]><object
classid="clsid:38481807-CA0E-42D2-BF39-B33AF135CC4D" id=ieooui></object>
<style>
st1\:*{behavior:url(#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:-1610611985 1073750139 0 0 159 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;
text-underline:single;}
span.SpellE
{mso-style-name:"";
mso-spl-e:yes;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
</style>
<![endif]--><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="2050"/>
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1"/>
</o:shapelayout></xml><![endif]-->
</o:SmartTagType></o:SmartTagType></o:SmartTagType></o:SmartTagType></o:SmartTagType></o:SmartTagType>
<div class="Section1">
<p class="MsoNormal"><b style=""><span style="font-family: Calibri;">Ethan
V. Mateja<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-family: Calibri;"><o:p> </o:p></span></p>
<p class="MsoNormal"><b style=""><i style=""><span
style="font-family: Calibri; color: blue;">Packetforward<o:p></o:p></span></i></b></p>
<p class="MsoNormal"><st1:Street w:st="on"><st1:address w:st="on"><span
style="font-size: 10pt; font-family: Calibri;">22 <span class="SpellE">Tidball</span>
Road</span></st1:address></st1:Street><span
style="font-size: 10pt; font-family: Calibri;"><o:p></o:p></span></p>
<p class="MsoNormal"><st1:place w:st="on"><st1:City w:st="on"><span
style="font-size: 10pt; font-family: Calibri;">Fort Monroe</span></st1:City><span
style="font-size: 10pt; font-family: Calibri;">, <st1:State w:st="on">VA</st1:State>
<st1:PostalCode w:st="on">23651</st1:PostalCode></span></st1:place><span
style="font-size: 10pt; font-family: Calibri;"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: Calibri;">757.268.6672
mobile<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family: Calibri;"><a
href="mailto:support (at mark) packetforward.com">support (at mark) packetforward.com</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family: Calibri;"><a
href="http://www.packetforward.com/">www.packetforward.com</a><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
<br />--
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href="http://www.mailscanner.info/"><b>MailScanner</b></a>, and is
<br />believed to be clean.
</html>