Hello Colleges and *,
since Sunday 19:47 CEST 18 of my servers are under heavy attack.
Currently I have counted over 18 million login attempts (dictionary
attack) with a list of 1005 names an started with IP <50.56.180.220>.
--[ '/var/log/mail.log' ]-----------------------------------------------
Aug 12 19:47:32 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:47:53 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:47:54 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220]
Aug 12 19:47:59 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=6
Aug 12 19:47:59 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:47:59 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220]
Aug 12 19:48:04 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=5
Aug 12 19:48:04 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:04 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220]
Aug 12 19:48:09 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:09 vserver04 imapd: LOGIN FAILED, user=abby, ip=[::ffff:50.56.180.220]
Aug 12 19:48:10 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=6
Aug 12 19:48:10 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:10 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=0
Aug 12 19:48:10 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:10 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220]
Aug 12 19:48:14 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=5
Aug 12 19:48:14 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:14 vserver04 imapd: LOGIN FAILED, user=abby, ip=[::ffff:50.56.180.220]
Aug 12 19:48:16 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=6
Aug 12 19:48:16 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:16 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220]
Aug 12 19:48:19 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=5
Aug 12 19:48:19 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:20 vserver04 imapd: LOGIN FAILED, user=abby, ip=[::ffff:50.56.180.220]
Aug 12 19:48:21 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=5
Aug 12 19:48:21 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:21 vserver04 imapd: LOGIN FAILED, user=aaron, ip=[::ffff:50.56.180.220]
Aug 12 19:48:25 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=6
Aug 12 19:48:25 vserver04 imapd: Connection, ip=[::ffff:50.56.180.220]
Aug 12 19:48:25 vserver04 imapd: Disconnected, ip=[::ffff:50.56.180.220], time=0
<snip>
------------------------------------------------------------------------
I have encountered this problem tody, whil I saw, the logsize increased
by the factor 200! Mean, my daily mail.log are arround 1.8 GByte!
Also since yesterday, I get similar attacks by 3 other IPs from the USA.
Does someone have encountered similar things?
Note: I try to reach (a personaly known) FBI filed officer
from New York since I work a PMC.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
Internet Service Provider, Cloud Computing
<http://www.itsystems.tamay-dogan.net/>
<http://www.debian.tamay-dogan.net/>
itsystems@tdnet Jabber linux4michelle@jabber.ccc.de
Owner Michelle Konzack
Gewerbe Strasse 3 Tel office: +49-176-86004575
77694 Kehl Tel mobil: +49-177-9351947
Germany Tel mobil: +33-6-61925193 (France)
USt-ID: DE 278 049 239
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Attachment:
signature.pgp
Description: Digital signature