Hello Colleges and *, since Sunday 19:47 CEST 18 of my servers are under heavy attack. Currently I have counted over 18 million login attempts (dictionary attack) with a list of 1005 names an started with IP <50.56.180.220>. --[ '/var/log/mail.log' ]----------------------------------------------- Aug 12 19:47:32 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:47:53 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:47:54 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220] Aug 12 19:47:59 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=6 Aug 12 19:47:59 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:47:59 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220] Aug 12 19:48:04 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=5 Aug 12 19:48:04 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:48:04 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220] Aug 12 19:48:09 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:48:09 vserver04 imapd: LOGIN FAILED, user=abby, ip=[::ffff:50.56.180.220] Aug 12 19:48:10 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=6 Aug 12 19:48:10 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:48:10 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=0 Aug 12 19:48:10 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:48:10 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220] Aug 12 19:48:14 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=5 Aug 12 19:48:14 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:48:14 vserver04 imapd: LOGIN FAILED, user=abby, ip=[::ffff:50.56.180.220] Aug 12 19:48:16 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=6 Aug 12 19:48:16 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:48:16 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220] Aug 12 19:48:19 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=5 Aug 12 19:48:19 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:48:20 vserver04 imapd: LOGIN FAILED, user=abby, ip=[::ffff:50.56.180.220] Aug 12 19:48:21 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=5 Aug 12 19:48:21 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:48:21 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220] Aug 12 19:48:25 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=6 Aug 12 19:48:25 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220] Aug 12 19:48:25 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=0 <snip> ------------------------------------------------------------------------ I have encountered this problem tody, whil I saw, the logsize increased by the factor 200! Mean, my daily mail.log are arround 1.8 GByte! Also since yesterday, I get similar attacks by 3 other IPs from the USA. Does someone have encountered similar things? Note: I try to reach (a personaly known) FBI filed officer from New York since I work a PMC. Thanks, Greetings and nice Day/Evening Michelle Konzack -- ##################### Debian GNU/Linux Consultant ###################### Development of Intranet and Embedded Systems with Debian GNU/Linux Internet Service Provider, Cloud Computing <http://www.itsystems.tamay-dogan.net/> <http://www.debian.tamay-dogan.net/> itsystems@tdnet Jabber linux4michelle@jabber.ccc.de Owner Michelle Konzack Gewerbe Strasse 3 Tel office: +49-176-86004575 77694 Kehl Tel mobil: +49-177-9351947 Germany Tel mobil: +33-6-61925193 (France) USt-ID: DE 278 049 239 Linux-User #280138 with the Linux Counter, http://counter.li.org/
Attachment:
signature.pgp
Description: Digital signature