Menu
▾
▴
[SSHGuard-users] New Attack Signature
|
From: Mark C. <pub...@ch...> - 2016-09-10 20:26:51
|
Just found this in my logs. Notice that the spammer alternates among several addresses within the same class B network (in this case, two different class Bs) in order to avoid detection. Any chance we could add a signature for this? > Sep 10 19:11:00 smtp postfix/smtpd[27607]: connect from unknown[182.38.196.133] > Sep 10 19:11:01 smtp postfix/smtpd[27607]: lost connection after AUTH from unkno > wn[182.38.196.133] > Sep 10 19:11:01 smtp postfix/smtpd[27607]: disconnect from unknown[182.38.196.13 > 3] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:01 smtp postfix/smtpd[27607]: connect from unknown[182.38.137.123] > Sep 10 19:11:01 smtp postfix/smtpd[27607]: lost connection after AUTH from unkno > wn[182.38.137.123] > Sep 10 19:11:01 smtp postfix/smtpd[27607]: disconnect from unknown[182.38.137.12 > 3] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:03 smtp postfix/smtpd[27607]: connect from unknown[182.38.149.228] > Sep 10 19:11:03 smtp postfix/smtpd[27607]: lost connection after AUTH from unkno > wn[182.38.149.228] > Sep 10 19:11:03 smtp postfix/smtpd[27607]: disconnect from unknown[182.38.149.228] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:04 smtp postfix/smtpd[27607]: connect from unknown[182.38.234.76] > Sep 10 19:11:04 smtp postfix/smtpd[27607]: lost connection after AUTH from unknown[182.38.234.76] > Sep 10 19:11:04 smtp postfix/smtpd[27607]: disconnect from unknown[182.38.234.76] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:05 smtp postfix/smtpd[27607]: connect from unknown[182.38.134.177] > Sep 10 19:11:05 smtp postfix/smtpd[27607]: lost connection after AUTH from unknown[182.38.134.177] > Sep 10 19:11:05 smtp postfix/smtpd[27607]: disconnect from unknown[182.38.134.177] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:17 smtp postfix/smtpd[27607]: connect from unknown[182.38.139.99] > Sep 10 19:11:18 smtp postfix/smtpd[27607]: lost connection after AUTH from unknown[182.38.139.99] > Sep 10 19:11:18 smtp postfix/smtpd[27607]: disconnect from unknown[182.38.139.99] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:18 smtp postfix/smtpd[27607]: connect from unknown[123.170.205.156] > Sep 10 19:11:19 smtp postfix/smtpd[27607]: lost connection after AUTH from unknown[123.170.205.156] > Sep 10 19:11:19 smtp postfix/smtpd[27607]: disconnect from unknown[123.170.205.156] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:22 smtp postfix/smtpd[27607]: connect from unknown[123.170.207.50] > Sep 10 19:11:23 smtp postfix/smtpd[27607]: lost connection after AUTH from unknown[123.170.207.50] > Sep 10 19:11:23 smtp postfix/smtpd[27607]: disconnect from unknown[123.170.207.50] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:24 smtp postfix/smtpd[27607]: connect from unknown[123.170.206.248] > Sep 10 19:11:25 smtp postfix/smtpd[27607]: lost connection after AUTH from unknown[123.170.206.248] > Sep 10 19:11:25 smtp postfix/smtpd[27607]: disconnect from unknown[123.170.206.248] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:25 smtp postfix/smtpd[27607]: connect from unknown[123.170.205.80] > Sep 10 19:11:26 smtp postfix/smtpd[27607]: lost connection after EHLO from unknown[123.170.205.80] > Sep 10 19:11:26 smtp postfix/smtpd[27607]: disconnect from unknown[123.170.205.80] ehlo=1 commands=1 > Sep 10 19:11:30 smtp postfix/smtpd[27607]: connect from unknown[182.38.149.234] > Sep 10 19:11:30 smtp postfix/smtpd[27607]: lost connection after AUTH from unknown[182.38.149.234] > Sep 10 19:11:30 smtp postfix/smtpd[27607]: disconnect from unknown[182.38.149.234] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:31 smtp postfix/smtpd[27607]: connect from unknown[123.170.205.156] > Sep 10 19:11:32 smtp postfix/smtpd[27607]: lost connection after AUTH from unknown[123.170.205.156] > Sep 10 19:11:32 smtp postfix/smtpd[27607]: disconnect from unknown[123.170.205.156] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:32 smtp postfix/smtpd[27607]: connect from unknown[123.170.195.250] > Sep 10 19:11:33 smtp postfix/smtpd[27607]: lost connection after AUTH from unknown[123.170.195.250] > Sep 10 19:11:33 smtp postfix/smtpd[27607]: disconnect from unknown[123.170.195.250] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:34 smtp postfix/smtpd[27607]: connect from unknown[123.170.241.118] > Sep 10 19:11:35 smtp postfix/smtpd[27607]: lost connection after AUTH from unknown[123.170.241.118] > Sep 10 19:11:35 smtp postfix/smtpd[27607]: disconnect from unknown[123.170.241.118] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:35 smtp postfix/smtpd[27607]: connect from unknown[182.38.135.69] > Sep 10 19:11:36 smtp postfix/smtpd[27607]: lost connection after AUTH from unknown[182.38.135.69] > Sep 10 19:11:36 smtp postfix/smtpd[27607]: disconnect from unknown[182.38.135.69] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:36 smtp postfix/smtpd[27607]: connect from unknown[182.38.138.76] > Sep 10 19:11:36 smtp postfix/smtpd[27607]: lost connection after AUTH from unknown[182.38.138.76] > Sep 10 19:11:36 smtp postfix/smtpd[27607]: disconnect from unknown[182.38.138.76] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:37 smtp postfix/smtpd[27607]: connect from unknown[123.170.202.168] > Sep 10 19:11:37 smtp postfix/smtpd[27607]: lost connection after AUTH from unknown[123.170.202.168] > Sep 10 19:11:37 smtp postfix/smtpd[27607]: disconnect from unknown[123.170.202.168] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:37 smtp postfix/smtpd[27607]: connect from unknown[182.38.137.123] > Sep 10 19:11:38 smtp postfix/smtpd[27607]: lost connection after AUTH from unknown[182.38.137.123] > Sep 10 19:11:38 smtp postfix/smtpd[27607]: disconnect from unknown[182.38.137.123] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:38 smtp postfix/smtpd[27607]: connect from unknown[182.38.232.194] > Sep 10 19:11:39 smtp postfix/smtpd[27607]: lost connection after AUTH from unknown[182.38.232.194] > Sep 10 19:11:39 smtp postfix/smtpd[27607]: disconnect from unknown[182.38.232.194] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:39 smtp postfix/smtpd[27607]: connect from unknown[182.38.195.172] > Sep 10 19:11:39 smtp postfix/smtpd[27607]: lost connection after AUTH from unknown[182.38.195.172] > Sep 10 19:11:39 smtp postfix/smtpd[27607]: disconnect from unknown[182.38.195.172] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:40 smtp postfix/smtpd[27607]: connect from unknown[182.38.149.228] > Sep 10 19:11:41 smtp postfix/smtpd[27607]: lost connection after AUTH from unknown[182.38.149.228] > Sep 10 19:11:41 smtp postfix/smtpd[27607]: disconnect from unknown[182.38.149.228] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:41 smtp postfix/smtpd[27607]: connect from unknown[182.38.131.199] > Sep 10 19:11:41 smtp postfix/smtpd[27607]: lost connection after AUTH from unknown[182.38.131.199] > Sep 10 19:11:41 smtp postfix/smtpd[27607]: disconnect from unknown[182.38.131.199] ehlo=1 auth=0/1 commands=1/2 > Sep 10 19:11:42 smtp postfix/smtpd[27607]: connect from unknown[182.38.233.22] > Sep 10 19:11:42 smtp postfix/smtpd[27607]: lost connection after AUTH from unknown[182.38.233.22] |
