|
This isn't something new, but I think it is often overlooked: "slow and low" password brute forcing. One of the daily reports I like to look at is password brute force attempts. more or less "forever", A few networks stick out in these daily reports. The password brute force attempts are not particularly agressive, with usually less then 10 attempts per day from any particular IP address. The other odd thing is that the accounts being brute forced don't exist, which a heave focus on "@hotmail.com" accounts. By far the most agressive network is 193.201.224.0/22,"Besthosting" in the Ukraine, followed by an other Ukraining network, 91.207.7.0/24 (Steephost). The top brute forced domains: gmail.com The intend isn't perfectly clear as the accounts don't exist, and the attempts are not very aggressive (maybe to avoid getting locked out?). Anybody observing similar attacks and able to figure out what they are after?
--- |
Johannes 4512 Posts ISC Handler Sep 7th 2014 |
| Thread locked Subscribe |
Sep 7th 2014 7 years ago |
|
Which service are they going after? I'm guessing SMTP/POP3/IMAP?
|
Anonymous |
| Quote |
Sep 8th 2014 7 years ago |
|
I have checked through some of our logs, and am seeing traffic from the 91.207.7. network on udp/1033 and udp/14482. Pattern is 2 tries per hour within about 30 seconds of each other.
|
Craig 2 Posts |
| Quote |
Sep 8th 2014 7 years ago |
|
You mentioned in this morning's podcast you used various scripts to scan you server logs. Are any of these something you would share? I'm assuming that you grep the logs with some regex's.
Thanks! |
chrisl1977 6 Posts |
| Quote |
Sep 8th 2014 7 years ago |
|
I too am seeing a very low/slow use of these IPs on my secure web server. The IP 91.207.7.209 was active for about 20 connection attempts back from May 28th to June 18th. The IP range 193.201.224.0/22 saw about 205 attempts from June 25th to September 4th using several IPs. All activity was to port 80 and nothing "upset" my IPS to cause it to capture packets.
|
chrisl1977 1 Posts |
| Quote |
Sep 8th 2014 7 years ago |
|
Besides "slow and low", "distributed" type brute force attacks are common for the WordPress websites we hosts, i.e. 3-4 login attempts from each source IP.
Few ways to mitigate: captcha, 2FA and geo-blocking. Geo-blocking was very effective for us; we limit the login page to our country IP range only. This works because we are not in a big country such as US or Russia |
Mike7 43 Posts |
| Quote |
Sep 9th 2014 7 years ago |
|
Someone on Reddit mentioned experiencing a similar attack but they found that the person was looking for accounts that may have migrated email addresses while retaining the same password. Basically they had an old credentials list and what they were doing is substituting more popular / modern email providers with the same username. Surprisingly the script kiddie was having some success with the list.
http://www.reddit.com/r/talesfromtechsupport/comments/2g2jlx/the_socalled_gmail_credentials_leak_and_the/ |
Mike7 1 Posts |
| Quote |
Sep 11th 2014 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
