[BlueOnyx:04409] Re: can't stop this attack
Gerald Waugh
gwaugh at frontstreetnetworks.com
Thu May 6 11:58:54 -05 2010
sending again as i did nto see a post
On Thu, 2010-05-06 at 11:50 -0500, Gerald Waugh wrote:
> On Thu, 2010-05-06 at 11:47 -0500, Gerald Waugh wrote:
> > I put the IP in hosts.deny
> > I put the IP in iptables
> > Still keeps coming, uses different ip's on server and different users'
> > I even stopped xinetd, but still keep coming
> >
> > netstat looks like this
> > tcp 0 0 70.246.22.17:110 213.80.73.45:55643
> > ESTABLISHED 9901/pop3-login
> > tcp 1 0 70.246.22.25:110 213.80.73.45:58238
> > CLOSE_WAIT 9596/pop3-login
> > tcp 0 0 70.246.22.37:110 213.80.73.45:55584
> > ESTABLISHED 9917/pop3-login
> > tcp 0 0 70.246.22.29:110 213.80.73.45:55579
> > ESTABLISHED 9904/pop3-login
> > tcp 1 0 70.246.22.17:110 213.80.73.45:39467
> > CLOSE_WAIT 9752/pop3-login
> > tcp 1 0 70.246.22.37:110 213.80.73.45:47883
> > CLOSE_WAIT 9508/pop3-login
> >
> > maillog looks like this
> >
> > May 6 11:43:44 ns1 dovecot: pop3-login: Disconnected (auth failed, 1
> > attempts): user=<Krystal>, method=PLAIN, rip=213.80.73.45,
> > lip=70.246.22.22
> > May 6 11:43:44 ns1 dovecot: pop3-login: Disconnected (auth failed, 1
> > attempts): user=<Patches>, method=PLAIN, rip=213.80.73.45,
> > lip=70.246.22.28
> > May 6 11:43:44 ns1 dovecot: pop3-login: Disconnected (auth failed, 1
> > attempts): user=<Maveric>, method=PLAIN, rip=213.80.73.45,
> > lip=70.246.22.42
> > May 6 11:43:45 ns1 dovecot: pop3-login: Disconnected (auth failed, 1
> > attempts): user=<Merlin>, method=PLAIN, rip=213.80.73.45,
> > lip=70.246.22.21
> >
> > ideas?
More information about the Blueonyx
mailing list