[BlueOnyx:04408] Re: can't stop this attack
Gerald Waugh
gwaugh at raqware.com
Thu May 6 11:50:51 -05 2010
On Thu, 2010-05-06 at 11:47 -0500, Gerald Waugh wrote:
> I put the IP in hosts.deny
> I put the IP in iptables
> Still keeps coming, uses different ip's on server and different users'
> I even stopped xinetd, but still keep coming
>
> netstat looks like this
> tcp 0 0 70.246.22.17:110 213.80.73.45:55643
> ESTABLISHED 9901/pop3-login
> tcp 1 0 70.246.22.25:110 213.80.73.45:58238
> CLOSE_WAIT 9596/pop3-login
> tcp 0 0 70.246.22.37:110 213.80.73.45:55584
> ESTABLISHED 9917/pop3-login
> tcp 0 0 70.246.22.29:110 213.80.73.45:55579
> ESTABLISHED 9904/pop3-login
> tcp 1 0 70.246.22.17:110 213.80.73.45:39467
> CLOSE_WAIT 9752/pop3-login
> tcp 1 0 70.246.22.37:110 213.80.73.45:47883
> CLOSE_WAIT 9508/pop3-login
>
> maillog looks like this
>
> May 6 11:43:44 ns1 dovecot: pop3-login: Disconnected (auth failed, 1
> attempts): user=<Krystal>, method=PLAIN, rip=213.80.73.45,
> lip=70.246.22.22
> May 6 11:43:44 ns1 dovecot: pop3-login: Disconnected (auth failed, 1
> attempts): user=<Patches>, method=PLAIN, rip=213.80.73.45,
> lip=70.246.22.28
> May 6 11:43:44 ns1 dovecot: pop3-login: Disconnected (auth failed, 1
> attempts): user=<Maveric>, method=PLAIN, rip=213.80.73.45,
> lip=70.246.22.42
> May 6 11:43:45 ns1 dovecot: pop3-login: Disconnected (auth failed, 1
> attempts): user=<Merlin>, method=PLAIN, rip=213.80.73.45,
> lip=70.246.22.21
>
> ideas?
More information about the Blueonyx
mailing list