Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Botnet brute forcing mail accounts? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Botnet brute forcing mail accounts?
Twice in the last two days, in what looks like a botnet based attack, 25 to 35 different IPs will connect to my mail server within a few seconds of each other, and try logging in using a valid username, different each day, but invalid passwords, locking out that account. Most were Brazilian IPs, but today there were several from India as well.
Logs follow:
Jun 21 18:21:07 mail postfix/submission/smtpd[7790]: warning: unknown[187.111.57.165]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:07 mail postfix/submission/smtpd[7804]: warning: unknown[187.28.28.15]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:07 mail postfix/submission/smtpd[7795]: warning: unknown[187.28.28.40]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:08 mail postfix/submission/smtpd[7796]: warning: unknown[187.28.28.47]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:08 mail postfix/submission/smtpd[7791]: warning: unknown[187.111.57.191]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:08 mail postfix/submission/smtpd[7789]: warning: unknown[187.111.57.134]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:08 mail postfix/submission/smtpd[7802]: warning: unknown[187.32.88.113]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:09 mail postfix/submission/smtpd[7788]: warning: unknown[187.111.57.156]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:09 mail postfix/submission/smtpd[7799]: warning: unknown[187.111.56.79]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:09 mail postfix/submission/smtpd[7794]: warning: unknown[187.111.56.127]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:09 mail postfix/submission/smtpd[7792]: warning: unknown[187.111.57.113]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:09 mail postfix/submission/smtpd[7793]: warning: unknown[187.111.57.113]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:09 mail postfix/submission/smtpd[7805]: warning: unknown[187.111.56.61]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:09 mail postfix/submission/smtpd[7798]: warning: unknown[187.111.57.101]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:09 mail postfix/submission/smtpd[7807]: warning: unknown[187.111.57.149]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:09 mail postfix/submission/smtpd[7806]: warning: unknown[187.32.88.17]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:10 mail postfix/submission/smtpd[7812]: warning: 187-84-168-210.beltraonet.com.br[187.84.168.210]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:10 mail postfix/submission/smtpd[7787]: warning: unknown[187.32.88.71]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:10 mail postfix/submission/smtpd[7814]: warning: unknown[200.23.228.139]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:10 mail postfix/submission/smtpd[7811]: warning: 187-84-170-20.beltraonet.com.br[187.84.170.20]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:10 mail postfix/submission/smtpd[7797]: warning: unknown[187.111.56.71]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:11 mail postfix/submission/smtpd[7815]: warning: unknown[200.23.232.4]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:11 mail postfix/submission/smtpd[7803]: warning: unknown[187.111.56.82]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:11 mail postfix/submission/smtpd[7800]: warning: unknown[110.235.138.25]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:11 mail postfix/submission/smtpd[7810]: warning: unknown[187.32.88.110]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:11 mail postfix/submission/smtpd[7816]: warning: unknown[200.23.230.119]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:11 mail postfix/submission/smtpd[7813]: warning: unknown[200.23.232.88]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:12 mail postfix/submission/smtpd[7841]: warning: unknown[187.111.56.225]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:12 mail postfix/submission/smtpd[7817]: warning: unknown[200.23.230.156]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:12 mail postfix/submission/smtpd[7853]: warning: unknown[187.32.88.18]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:13 mail postfix/smtps/smtpd[7884]: warning: unknown[177.67.164.132]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:13 mail postfix/smtps/smtpd[7885]: warning: unknown[189.127.36.176]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:14 mail postfix/smtps/smtpd[7886]: warning: unknown[200.6.137.119] SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:17 mail postfix/smtpd[6617]: warning: unknown[138.122.37.197]: SASL PLAIN authentication failed: authentication failure


Jun 22 05:30:42 mail postfix/submission/smtpd[6372]: warning: unknown[189.127.33.189]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:42 mail postfix/submission/smtpd[6375]: warning: unknown[189.127.34.139]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:42 mail postfix/submission/smtpd[6374]: warning: unknown[189.127.34.213]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:42 mail postfix/submission/smtpd[6377]: warning: unknown[189.127.34.245]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:42 mail postfix/submission/smtpd[6373]: warning: unknown[189.127.32.233]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:43 mail postfix/submission/smtpd[6376]: warning: unknown[189.127.34.72]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:43 mail postfix/submission/smtpd[6499]: warning: 189-124-7-23.tcvnet.com.br[189.124.7.23]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:44 mail postfix/submission/smtpd[6406]: warning: 189-124-0-213.tcvnet.com.br[189.124.0.213]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:46 mail postfix/submission/smtpd[6744]: warning: 189-124-0-216.tcvnet.com.br[189.124.0.216]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:50 mail postfix/submission/smtpd[6788]: warning: unknown[128.201.253.187]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:50 mail postfix/submission/smtpd[6786]: warning: unknown[128.201.253.17]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:50 mail postfix/submission/smtpd[6374]: warning: unknown[103.84.61.103]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:50 mail postfix/submission/smtpd[6375]: warning: unknown[103.84.61.196]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:50 mail postfix/submission/smtpd[6499]: warning: unknown[103.87.46.81]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:50 mail postfix/submission/smtpd[6406]: warning: unknown[103.81.155.251]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:50 mail postfix/submission/smtpd[6783]: warning: unknown[131.0.166.5]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:51 mail postfix/submission/smtpd[6373]: warning: unknown[131.100.33.98]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:51 mail postfix/submission/smtpd[6785]: warning: unknown[103.81.155.246]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:51 mail postfix/submission/smtpd[6376]: warning: unknown[103.84.61.246]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:51 mail postfix/submission/smtpd[6377]: warning: unknown[103.84.61.147]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:51 mail postfix/submission/smtpd[6784]: warning: unknown[131.0.166.196]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:51 mail postfix/submission/smtpd[6787]: warning: unknown[103.81.155.219]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:51 mail postfix/submission/smtpd[6789]: warning: unknown[131.100.81.136]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:51 mail postfix/submission/smtpd[6372]: warning: unknown[103.84.61.155]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:54 mail postfix/submission/smtpd[6744]: warning: unknown[189.127.35.209]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:54 mail postfix/submission/smtpd[6828]: warning: unknown[189.127.34.90]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:55 mail postfix/submission/smtpd[6837]: warning: unknown[189.127.34.78]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:55 mail postfix/submission/smtpd[6788]: warning: unknown[189.51.104.150]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:55 mail postfix/submission/smtpd[6858]: warning: unknown[189.51.104.197]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:55 mail postfix/submission/smtpd[6786]: warning: unknown[189.51.104.164]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:55 mail postfix/submission/smtpd[6861]: warning: unknown[189.51.112.93]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:56 mail postfix/submission/smtpd[6375]: warning: 189-38-1-56.britistelecom.com.br[189.38.1.56]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:31:00 mail postfix/submission/smtpd[6374]: warning: unknown[128.201.252.210]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:31:01 mail postfix/smtps/smtpd[6963]: warning: unknown[103.81.154.107]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:31:02 mail postfix/submission/smtpd[6406]: warning: unknown[110.235.138.238]: SASL PLAIN authentication failed: authentication failure
Anonymous

Sign Up for Free or Log In to start participating in the conversation!