Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Botnet brute forcing mail accounts? SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Botnet brute forcing mail accounts?
Twice in the last two days, in what looks like a botnet based attack, 25 to 35 different IPs will connect to my mail server within a few seconds of each other, and try logging in using a valid username, different each day, but invalid passwords, locking out that account. Most were Brazilian IPs, but today there were several from India as well.
Logs follow:
Jun 21 18:21:07 mail postfix/submission/smtpd[7790]: warning: unknown[187.111.57.165]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:07 mail postfix/submission/smtpd[7804]: warning: unknown[187.28.28.15]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:07 mail postfix/submission/smtpd[7795]: warning: unknown[187.28.28.40]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:08 mail postfix/submission/smtpd[7796]: warning: unknown[187.28.28.47]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:08 mail postfix/submission/smtpd[7791]: warning: unknown[187.111.57.191]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:08 mail postfix/submission/smtpd[7789]: warning: unknown[187.111.57.134]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:08 mail postfix/submission/smtpd[7802]: warning: unknown[187.32.88.113]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:09 mail postfix/submission/smtpd[7788]: warning: unknown[187.111.57.156]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:09 mail postfix/submission/smtpd[7799]: warning: unknown[187.111.56.79]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:09 mail postfix/submission/smtpd[7794]: warning: unknown[187.111.56.127]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:09 mail postfix/submission/smtpd[7792]: warning: unknown[187.111.57.113]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:09 mail postfix/submission/smtpd[7793]: warning: unknown[187.111.57.113]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:09 mail postfix/submission/smtpd[7805]: warning: unknown[187.111.56.61]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:09 mail postfix/submission/smtpd[7798]: warning: unknown[187.111.57.101]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:09 mail postfix/submission/smtpd[7807]: warning: unknown[187.111.57.149]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:09 mail postfix/submission/smtpd[7806]: warning: unknown[187.32.88.17]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:10 mail postfix/submission/smtpd[7812]: warning: 187-84-168-210.beltraonet.com.br[187.84.168.210]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:10 mail postfix/submission/smtpd[7787]: warning: unknown[187.32.88.71]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:10 mail postfix/submission/smtpd[7814]: warning: unknown[200.23.228.139]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:10 mail postfix/submission/smtpd[7811]: warning: 187-84-170-20.beltraonet.com.br[187.84.170.20]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:10 mail postfix/submission/smtpd[7797]: warning: unknown[187.111.56.71]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:11 mail postfix/submission/smtpd[7815]: warning: unknown[200.23.232.4]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:11 mail postfix/submission/smtpd[7803]: warning: unknown[187.111.56.82]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:11 mail postfix/submission/smtpd[7800]: warning: unknown[110.235.138.25]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:11 mail postfix/submission/smtpd[7810]: warning: unknown[187.32.88.110]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:11 mail postfix/submission/smtpd[7816]: warning: unknown[200.23.230.119]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:11 mail postfix/submission/smtpd[7813]: warning: unknown[200.23.232.88]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:12 mail postfix/submission/smtpd[7841]: warning: unknown[187.111.56.225]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:12 mail postfix/submission/smtpd[7817]: warning: unknown[200.23.230.156]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:12 mail postfix/submission/smtpd[7853]: warning: unknown[187.32.88.18]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:13 mail postfix/smtps/smtpd[7884]: warning: unknown[177.67.164.132]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:13 mail postfix/smtps/smtpd[7885]: warning: unknown[189.127.36.176]: SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:14 mail postfix/smtps/smtpd[7886]: warning: unknown[200.6.137.119] SASL PLAIN authentication failed: authentication failure
Jun 21 18:21:17 mail postfix/smtpd[6617]: warning: unknown[138.122.37.197]: SASL PLAIN authentication failed: authentication failure


Jun 22 05:30:42 mail postfix/submission/smtpd[6372]: warning: unknown[189.127.33.189]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:42 mail postfix/submission/smtpd[6375]: warning: unknown[189.127.34.139]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:42 mail postfix/submission/smtpd[6374]: warning: unknown[189.127.34.213]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:42 mail postfix/submission/smtpd[6377]: warning: unknown[189.127.34.245]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:42 mail postfix/submission/smtpd[6373]: warning: unknown[189.127.32.233]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:43 mail postfix/submission/smtpd[6376]: warning: unknown[189.127.34.72]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:43 mail postfix/submission/smtpd[6499]: warning: 189-124-7-23.tcvnet.com.br[189.124.7.23]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:44 mail postfix/submission/smtpd[6406]: warning: 189-124-0-213.tcvnet.com.br[189.124.0.213]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:46 mail postfix/submission/smtpd[6744]: warning: 189-124-0-216.tcvnet.com.br[189.124.0.216]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:50 mail postfix/submission/smtpd[6788]: warning: unknown[128.201.253.187]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:50 mail postfix/submission/smtpd[6786]: warning: unknown[128.201.253.17]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:50 mail postfix/submission/smtpd[6374]: warning: unknown[103.84.61.103]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:50 mail postfix/submission/smtpd[6375]: warning: unknown[103.84.61.196]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:50 mail postfix/submission/smtpd[6499]: warning: unknown[103.87.46.81]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:50 mail postfix/submission/smtpd[6406]: warning: unknown[103.81.155.251]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:50 mail postfix/submission/smtpd[6783]: warning: unknown[131.0.166.5]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:51 mail postfix/submission/smtpd[6373]: warning: unknown[131.100.33.98]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:51 mail postfix/submission/smtpd[6785]: warning: unknown[103.81.155.246]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:51 mail postfix/submission/smtpd[6376]: warning: unknown[103.84.61.246]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:51 mail postfix/submission/smtpd[6377]: warning: unknown[103.84.61.147]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:51 mail postfix/submission/smtpd[6784]: warning: unknown[131.0.166.196]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:51 mail postfix/submission/smtpd[6787]: warning: unknown[103.81.155.219]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:51 mail postfix/submission/smtpd[6789]: warning: unknown[131.100.81.136]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:51 mail postfix/submission/smtpd[6372]: warning: unknown[103.84.61.155]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:54 mail postfix/submission/smtpd[6744]: warning: unknown[189.127.35.209]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:54 mail postfix/submission/smtpd[6828]: warning: unknown[189.127.34.90]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:55 mail postfix/submission/smtpd[6837]: warning: unknown[189.127.34.78]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:55 mail postfix/submission/smtpd[6788]: warning: unknown[189.51.104.150]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:55 mail postfix/submission/smtpd[6858]: warning: unknown[189.51.104.197]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:55 mail postfix/submission/smtpd[6786]: warning: unknown[189.51.104.164]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:55 mail postfix/submission/smtpd[6861]: warning: unknown[189.51.112.93]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:30:56 mail postfix/submission/smtpd[6375]: warning: 189-38-1-56.britistelecom.com.br[189.38.1.56]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:31:00 mail postfix/submission/smtpd[6374]: warning: unknown[128.201.252.210]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:31:01 mail postfix/smtps/smtpd[6963]: warning: unknown[103.81.154.107]: SASL PLAIN authentication failed: authentication failure
Jun 22 05:31:02 mail postfix/submission/smtpd[6406]: warning: unknown[110.235.138.238]: SASL PLAIN authentication failed: authentication failure
Anonymous

Sign Up for Free or Log In to start participating in the conversation!